On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.
The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner (“Irish DPA”) in 2015 challenging Facebook Ireland’s reliance on the EU SCCs as a legal basis for transferring personal data to Facebook Inc. in the U.S. Facebook turned to SCCs following the earlier invalidation of the U.S.-EU Safe Harbor Framework.
Schrems alleged that Facebook should be prohibited from transferring data to the U.S. pursuant to the SCCs, as (1) the clauses adopted by Facebook are not consistent with the SCCs, and (2) the SCCs do not ensure an adequate level of protection for EU data subjects. Schrems’ main argument was that U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data unless strictly necessary, as provided for by EU data protection law, and accordingly there was no remedy that would allow data subjects to ensure protection of their personal data once it had been transferred to the U.S. Schrems requested that the Irish DPA suspend the transfer of personal data by Facebook Ireland to the U.S. The Irish DPA, in turn, brought proceedings against Facebook before the Irish High Court, challenging the validity of the SCCs. The High Court subsequently referred 11 questions to the CJEU for a preliminary ruling.
The Advocate General noted that, in considering whether the SCCs afford an adequate level of protection for personal data transferred outside of the EU, it is not necessary to assess whether the laws and practices of the country to which personal data is transferred offer an adequate level of protection. The Advocate General was of the opinion that the SCCs remain valid for the transfer of personal data from the EU to third countries. The mere fact that the SCCs are not binding upon authorities in third countries to which personal data is transferred does not in itself mean that the SCCs do not provide sufficient safeguards. On the contrary, the SCCs contain provisions requiring the suspension of data transfers if it is impossible for the recipient of personal data to honor the protections provided by the SCCs due to local laws and practices. Further, where that is the case, EU data protection supervisory authorities have the power to temporarily or permanently suspend transfers to the country in question.
In reaching his conclusion, the Advocate General adopted a pragmatic approach, and noted “on the one hand, the need to show a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world,’ and, on the other hand, the need to assert the fundamental values recognised in the legal orders of the Union and its Member States, and in particular in the Charter.”
The Advocate General’s opinion, if followed by the CJEU in its full judgment (due in 2020), would mean that the SCCs remain a valid mechanism for transferring personal data from the EU to third countries. Although the Advocate General’s opinion is not legally binding, such opinions are followed by the Court in approximately 80% of cases.
The opinion, if followed by the Court, is particularly important in the context of the UK’s withdrawal from the EU. Most organizations have utilized SCCs as part of their Brexit preparations. If the Court agrees with the Advocate General, organizations will be able to continue to rely on the SCCs for transfers of personal data from the EU to the UK after Exit day.
The Irish DPC welcomed the opinion, and noted that the “approach is one in which responsibility for ensuring the protection of the data protection rights of EU citizens rests with controllers in the first instance and, in the view of the AG, with national supervisory authorities where a controller fails to discharge its obligations.”
Although the Advocate General noted that the proceedings did not require him to consider the ongoing validity of the EU-U.S. Privacy Shield Framework, as that question is irrelevant to the proceedings at hand, he raised some concerns about the ongoing validity of the Privacy Shield. His particular concern is that the Ombudsman established in the U.S. to adjudicate complaints relating to the use of personal data that is transferred to the U.S. by U.S. intelligence services does not satisfy the condition of judicial independence, and does not provide an effective means by which individuals whose personal data is used by U.S. intelligence services may challenge that use of their personal data, or obtain access to, or rectification or deletion of, that data. It remains to be seen whether the CJEU will address the validity of the Privacy Shield in its full judgment in this case. For now, it appears that the Privacy Shield is likely to remain a valid data transfer mechanism.
The Advocate General’s opinion provides welcome relief to the many companies that rely on the SCCs to transfer personal data from the EU to the U.S. and to numerous other jurisdictions. The EU General Data Protection Regulation provides limited means for companies to transfer personal data outside of the EU, and if the CJEU’s ruling diverges from that of the Advocate General, companies will need to seek alternative means to transfer personal data outside of the EU or suspend those data transfers.
View our previous blog posts on developments of the case throughout May 2016, October 2017, August 2018 and July 2019.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code