The Advocate General (“AG“) of the Court of Justice of the European Union (“ECJ“) has recommended that the Standard Contractual Clauses (“SCCs“) should remain a valid mechanism to legitimise the transfer of personal data to third countries. However:
- the AG notes that both companies and regulators need to ensure that there are “sufficiently sound mechanisms” to suspend or prohibit transfers to third countries where there is a conflict between the SCCs and the laws of that third country;
- Whilst businesses can breathe a sigh of release in the short term, there is no guarantee that the ECJ will follow the AG’s recommendation;
- Even if the ECJ does agree with the AG recommendations, those suggest that exporting controllers may be expected to undertake a level of due diligence before exporting personal data.
As set out in our previous post on the Schrems II hearing, the ECJ in November this year, heard oral submissions from a number of parties relating to the validity of the Standard Contractual Clauses and the EU-US Privacy Shield as a result of a referral from the Irish High Court containing a series of questions arising from a complaint made by Max Schrems regarding the protection of his personal data by Facebook when transferring personal data from Ireland to the US.
The AG’s Conclusion
Overall, the AG has recommended that the SCCs should remain a valid mechanism to legitimise the transfer of personal data to third countries.
Whilst this opinion is a welcome Christmas gift to the many businesses who transfer personal data on the basis of the SCCs, there are nonetheless elements of the opinion which suggest that the Commission may yet still review the SCCs and Privacy Shield. The opinion is non-binding, meaning that the ECJ could still reach a different conclusion. However, it is worth noting that, in the majority of cases, the ECJ follows the advice of the AG.
The AG’s Analysis
Although, the AG notes that the SCCs provide a “general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there“, he further considers that there should be an obligation on controllers and supervisory authorities to suspend or prohibit an international transfer where there is a conflict between the obligations of the SCCs and the obligations of the law of the third country.
This seems to suggest that there is some level of due diligence expected of controllers who are transferring personal data on the basis of the SCCs. For example, it suggests a conclusions whereby a controller may decide that a transfer to one particular third country is legitimised by the SCCs but a transfer to another third country would not be legitimised by the same mechanism.
It will be interesting to see how the ECJ responds to this point, and whether they give further clarity with regards to the level of knowledge about applicable data protection laws of the third country controllers and supervisory authorities are expected to have. If the relevant controller or supervisory authority considers that there is a conflict, they are expected to cease transferring personal data on the basis of Article 4 of the SCCs.
In relation to Privacy Shield, whilst the AG noted that the validity of Privacy Shield was not directly in scope of the questions referred from the Irish High Court, he has nevertheless commented. The AG considers that Privacy Shield may not provide equivalent protection to the GDPR as data subjects may not have the right to an effective remedy under the ombudsman relief mechanism. In addition, the AG considers that Privacy Shield and more broadly, US law, does not provide an equivalent right to respect for private life and the protection of personal data.