The standard contractual clauses (SCCs) remain appropriate safeguards for transferring personal data out of the EEA, according to the Advocate General of the Court of Justice of the European Union (CJEU) in his opinion in the Facebook Ireland Limited/Maximillian Schrems case.
The opinion by the Advocate General is the latest development in the long-running dispute between Facebook Ireland and Max Schrems, an Austrian privacy activist. The CJEU press release is available here and Advocate General’s opinion here.
Under Article 44 of the GDPR, personal data can only be transferred out of the EEA in certain circumstances (namely, if the controller and processor comply with the provisions in Chapter V of the GDPR). This seeks to ensure that the personal data of data subjects in the EU is protected regardless of where the processing of it takes place. Transfers can be made to non-EEA countries by relying on an adequacy decision, whereby the EU designates a third country as ensuring an adequate level of data protection, or alternatively, through the use of appropriate safeguards such as the SCCs (otherwise known as the ‘model clauses’).
The SCCs are standard protection clauses, the wording of which is set out in an EU Commission decision, that can be put in place between the exporter and importer of the data and which contain guarantees given by the data importer as to how the personal data will be handled. This opinion relates to the SCCs adopted by the Commission in Decision 2010/87/EU for use where an exporter is a controller in the EEA and an importer is a processor outside of the EEA.
In 2013, Mr Schrems attempted to stop Facebook from transferring his personal data to servers in the US for processing. He claimed that in the US personal data was not subject to adequate protection against surveillance, in light of the revelations made by whistle-blower Edward Snowdon concerning the activities of the National Security Agency (NSA).
Mr Schrems’ actions were influential in overturning the previous “Safe Harbour” agreement on transatlantic data flows in 2015, which was determined by the CJEU to be invalid and has since been replaced with the “Privacy Shield” framework. Following the CJEU’s judgment, Mr Schrems was invited by the supervisory authority to reformulate his complaint and it is his reformulated complaint that contested the validity of the SCCs.
The Advocate General’s conclusion that the questions for preliminary ruling have “disclosed nothing to affect the validity” of the SCCs is useful to businesses which process personal data outside the EEA and for the many businesses in the EEA that transfer personal data to entities outside the EEA, such as to sub-contractors or group companies in non-EEA countries, in reliance on the SCCs. Still, the Advocate General was careful to make clear that businesses must still assess the context.
The Advocate General also suggested that the substance of the referral by the Irish High Court “calls into question” the validity of the Privacy Shield decision. The sufficiency of Privacy Shield was out of the scope of the Attorney General’s opinion but this may still cause unease for those relying on the Privacy Shield in order to make transfers to the US.
Although the Advocate General’s opinion is not binding on the CJEU, it will be interesting to see whether it influences the outcome of the forthcoming case, the judgment of which is expected in a few months.