Schrems II: Has Christmas come early for Standard Contractual Clauses?

On Thursday the 19 December, Advocate General Saugmandsgaard ØE delivered his opinion on Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems – otherwise known as “Schrems II” (or at least to technology lawyers!). Whilst the opinion is not binding, it gives a clear indication of the stance the Court of Justice of the European Union (“CJEU”)  will likely take in relation to the long anticipated judgment of Schrems II.

Summary of Schrems II

Maximillian Schrems, famous for the case which brought an end to the safe harbour framework, and created a storm within the technology sector in doing so, set his sights on the validity of the transfer mechanism of Standard Contractual Clauses (“SCCs”) as a secure method of transferring data from the European Economic Area (“EEA”) to non EEA countries. SCCs are the preferred mechanism for transfers of personal data by many technology companies, including Facebook (with the data of Facebook users who reside in the EU being transferred to servers which are located in the USA, and subsequently processed there).

Schrems complained to the Irish Data Protection Commissioner about certain transfers of his personal data from the EEA to the US on the basis of the SCCs, emphasising that the SCCs cannot be enforced effectively in light of revelations regarding the level of US national security agencies’ access to the relevant personal data.

In Schrems II the CJEU has been asked by the Irish High Court to consider whether the European Commission Decision 2010/87/EU in which the Commission established that the SCCs mechanism which are relied on to facilitate the transfers which Schrems complained about were classed as valid.

Advocate General Opinion

The Advocate General took the view that the validity of European Commission Decision 2010/87/EU regarding the SCCs adopted by the European Commission should not be affected by the questions referred to the CJEU by the Irish High Court, and that the SCCs provide a valid mechanism to facilitate international transfers of personal data.

Where the SCCs are relied upon to legitimise the transfer of personal data to a third country, the onus is on the controller and supervisory authority to prohibit the transfer where the SCCs cannot be complied with due to the laws of the third country of the data importer.

The CJEU should refrain from ruling on the impact of Privacy Shield on the complaint raised by Schrems in the case and the validity of the Privacy Shield decision. However, the Advocate General did set out a number of observations from paragraphs 188-342, including reasons that led him to question the validity of the Privacy Shield decision. These observations could influence the CJEU on the other privacy shield case currently making its way through the court ( Case T-738/16 La Quadrature du Net v Commission) which has been delayed as a result of Schrems II.

Secure transfer mechanisms

The Advocate General’s opinion is thought to provide the technology sector (and more broadly) some comfort over the use of SCCs as a secure method of transfer of data out with the EEA. The CJEU could however take a different view in the long awaited final decision on Schrems which is expected in January 2020. In the meantime, organisations can and should continue to use SCCs as a valid transfer mechanism for personal data out with the EEA.

This article was co-written by Olivia Keary.

Latest updates from @MacRoberts