Standard Contractual Clauses survive (for now)

Advocate General issues opinion in Schrems II

The Advocate General of the European Court of Justice (“ECJ”) has recommended that the court upholds the validity of the controller-to-processor Standard Contractual Clauses in the case of Data Protection Commissioner v Facebook Ireland Limited (commonly referred to as Schrems II).

Background and facts

The case concerns the Austrian privacy activist, Max Schrems, and the transfer of his personal data by Facebook from Ireland to the US. In an earlier decision involving Schrems and Facebook, the ECJ invalidated the EU-US “Safe Harbor” transfer mechanism (which then led to the EU-US “Privacy Shield” framework being implemented as a replacement for the Safe Harbor scheme).

At a very high level, Schrems’ complaint in the present case is that Facebook should not be allowed to rely upon the Standard Contractual Clauses to transfer his personal data to the US since these do not adequately protect his personal data once transferred due to the wide-reaching surveillance powers provided to US governmental organisations.

Although the case relates specifically to transfers by Facebook to the US, one potential outcome of the case was that the Standard Contractual Clauses would be invalidated. This would have broad implications for a large number of businesses which currently rely upon Standard Contractual Clauses as a convenient mechanism to transfer personal data outside the European Economic Area.

Advocate General’s Opinion

Given the opinion of the Advocate General, which is not binding on the ECJ but which is followed in around 80% of cases, it seems unlikely that such an outcome will materialise.

The key points to note from the Advocate General’s opinion are as follows:

• The decision of the ECJ should not result in the Standard Contractual Clauses being invalidated. These are designed to provide protection to the transferred data through contractual means, irrespective of the law in the country of the data importer.
• It is for the controller (the data exporter) to assess on a case-by-case basis whether the Standard Contractual Clauses can be or are being implemented properly in practice (including by reference to the law of the country of the importing party). If not, the transfers must be prohibited or suspended by the controller.
• Where it appears that the Standard Contractual Clauses are not being complied with, supervisory authorities (such as, in the UK, the ICO) are required to take measures to remedy this, for example, by ordering suspension of the transfer.
• The ECJ should not rule on the validity of the EU-US Privacy Shield framework as part of its decision, (although the Advocate General discusses this at length in his opinion and casts doubt on its validity as a transfer mechanism).

Other points

It is to be expected that the EU Commission will issue updated controller-to-processor Standard Contractual Clauses in the not-too-distant future. The consensus is that they are outdated and in need of a refresh to reflect the requirements of the GDPR.

Conclusion

The Advocate General’s opinion will come as welcome news to the numerous businesses which currently rely upon Standard Contractual Clauses. The opinion highlights, however, that businesses should in practice be reviewing compliance with such clauses and not simply treating the implementation of the contracts as a tick-box exercise.

The above is of course subject to change based on the final decision of the ECJ in this case, expected early 2020. We will be watching out for this and will update you once we are in a position to do so.