• The Court of Justice of the European Union (“CJEU“) has heard oral submissions in the latest case questioning the legal validity of international data transfer mechanisms under the GDPR, such as Standard Contractual Clauses and the EU-US Privacy Shield;
  • The Irish Data Protection Commissioner (“DPC“) is seeking a ruling that would find the so-called Standard Contractual Clauses, which are used to legitimise the transfer of personal data from Europe all around the world, as invalid because they do not provide adequate protection for individuals’ data;
  • The CJEU heard yesterday from the DPC, Facebook, the Electronic Privacy Information Center, DigitalEurope, the Business Software Alliance, the European Commission, the European Data Protection Board, the US government, several EU Member States and representatives of the original complainant Mr Schrems;
  • The Advocate General will give his non-binding opinion on the case on 12 December this year, with a full decision expected from the CJEU by early 2020;
  • If the Standard Contractual Clauses are declared invalid, this will have a huge impact on global trade, effectively putting the brakes on the international transfer of data.

Regulatory requirements for the international transfer of personal data

Chapter V of the GDPR provides that organisations within Europe are not able to transfer personal data to a third country outside of Europe unless one of a number of specified protections are in place to legitimise the transfer.

One such mechanism is where the country in question has been officially declared by the European Commission to provide adequate protection (a so-called ‘adequacy decision’). The US as a whole has not been found to be adequate by the European Commission, but there is a special agreement in place between the EU and the US, meaning that personal data can be sent to US organisations that are registered with the EU-US Privacy Shield (effectively meaning that such organisations have agreed to abide by a set of data protection principles, aligned to the principles under the GDPR in the EU). The Privacy Shield replaced its predecessor, the Safe Harbor, in 2016 after the CJEU had declared the Safe Harbor to be invalid as a result of a legal challenge brought by Mr Schrems (for further information, please see [here]).

Another important mechanism to legitimise the transfer of personal data globally (i.e. not just to the US), is for the exporting and importing organisations to enter into a set of contractual clauses approved by the European Commission and imposing data protection obligations on both parties. These clauses are referred to as the Standard Contractual Clauses, and are heavily relied upon by almost all organisations in Europe in order to legitimise the cross-border transfer of personal data.

Background to the case

Yesterday’s submissions to the CJEU came about as the result of a referral by the Irish High Court of a set of questions regarding the validity of the Standard Contractual Clauses. The case has its origins in a complaint made by Mr Schrems regarding the protection afforded to his personal data by Facebook when relying on the Standard Contractual Clauses to legitimise the transfer of personal data from Europe to Facebook’s operations in the US. This is the second time questions about international data transfers have been referred up to the CJEU as a result of the complaint brought by Mr Schrems, the first time having resulted in the CJEU declaring the Safe Harbor to be invalid.

For his part, it became clear during yesterday’s oral submissions that Mr Schrems himself does not wish the Standard Contractual Clauses to be declared invalid. He is asking the DPC to ensure that it enforces the clauses instead. However, questions remain regarding the ability of importing organisations to comply with the requirements of the Standard Contractual Clauses because of the access that certain foreign law enforcement agencies can have to data held in their jurisdiction. Similarly, if an organisation is unable to comply with the Standard Contractual Clauses, it follows that the same may apply to the EU-US Privacy Shield, which is why that may also be considered.

Next steps

The CJEU’s Advocate General has said he will give his non-binding opinion on the case on 12 December this year, with a full decision expected from the CJEU by early 2020. It is difficult to predict what the outcome will be but the impact on global trade should the Standard Contractual Clauses and the Privacy Shield be found to be invalid should not be underestimated. In the commercial context, such a decision would leave companies with very little option to be able to transfer personal data overseas other than seeking consent from the individuals in question, something which is likely to be impractical in almost all circumstances and not possible in certain cases. For example, the GDPR makes it clear that employee consent is rarely likely to be valid, meaning that companies would not be able to rely on that to transfer employee personal data out of the EU.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378