Find out today what the legal world will be talking about tomorrow.
Advocate General Henrik Saugmandsgaard Øe questions transfers to third countries
On 19 December 2019 the Advocate General with the European Court of Justice (“ECJ”) Mr. Henrik Saugmandsgaard Øe published his opinion in the case “Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems” (case C-311/18; “Schrems II”). Companies transferring personal data to countries outside of the EU (“third countries”; “international data transfers”) should pay particular attention to this case. In the future, a data protection supervisory authority (“DPA”) could prohibit international data transfers although Standard Contractual Clauses (“SCC”) have been agreed upon (and complied with). This could also impact other safeguards in the context of international data transfers (e.g. Binding Corporate Rules; “BCR”).
This opinion is marked by numerous procedural questions as well as procedural directions. From a practical point of view, the following short term take away is relevant:
The Advocate General recommends the ECJ to continue to consider the decision of 5 February 2010 (2010/87/EU; “Decision 2010/87/EU”) on the applicability of SCC to be lawful. The Advocate General sees no reason – regarding the present proceedings – to declare the Decision 2010/87/EU invalid.
Should the ECJ follow the Advocate General, companies can still use SCC to justify international data transfers. However, as a long term take away, this principle could turn into an exception. If the ECJ agrees with the view of the Advocate General, a radical change with regard to international data transfers could follow. Companies might no longer rely on safeguards in accordance with the General Data Protection Regulation (“GDPR”) when transferring personal data to third countries. The Advocate General (probably) takes the view that a DPA can issue orders to suspend international data transfers in individual cases. Therefore, a DPA might in future prohibit international data transfers even though SCC have been agreed upon (and complied with) because of a different data protection level in a specific third country.
I. History and Background
This case has a longer history. The starting point is a complaint that Mr. Schrems filled with the Irish DPA.
In essence, Mr. Schrems challenged the legality of the transfer of personal data by Facebook Ireland Ltd. to Facebook, Inc. (based in California, U.S.A.; “Schrems I”). According to Mr. Schrems, the (now invalid) Safe Harbor Agreement did not provide an adequate level of data protection in the U.S.A. Among other things, U.S. authorities could access personal data of data subjects without the possibility of adequate legal remedies by those data subjects. The transfer of personal data on the basis of the Safe Harbor Agreement was therefore inadmissible. With the Schrems I decision, the ECJ declared the EU Commission's decision on the Safe Harbor Agreement of 26 July 2000, decision 2000/520/EC, invalid (linked document is in German). The Schrems I decision accelerated the negotiations on the (currently valid) Privacy Shield.
II. Schrems I decision has no influence on SCC (for now)
The Decision 2010/87/EU on the applicability of SCC was not affected by the Schrems I decision. This legal instrument could still be used for international data transfers. The EU Commission had formulated certain standard contractual clauses for international data transfers in Decision 2010/87/EU. If parties agree on these clauses, they are obliged to comply with certain protection requirements with regard to personal data. These obligations can be used to justify an international data transfer, e.g. to transfer personal data from an EU company to a U.S. company. The SCC are thus one way of justifying international data transfers (please see Article 46 (2) (c) GDPR).
III. Key question in the Schrems II proceedings
Facebook Ireland Ltd. uses SCC, concluded with Facebook, Inc. as justification for the corresponding international data transfers. Mr. Schrems reworded his complaint, after he was informed by Facebook Ireland Ltd. accordingly.
The key question of the referring court in the Schrems II proceedings is whether Decision 2010/87/EU violates certain European fundamental rights, protected by the European Convention on Human Rights, or not (please see question no. 11 in paragraph no. 76 of the opinion). Mr. Schrems questions the validity of Decision 2010/87/EU in particular because of the limited binding effect of SCC. Only the parties agreeing on the SCC are bound by them. Therefore, e.g., if two private companies conclude SCC, state or federal authorities would not be obliged to guarantee a certain level of protection with regard to personal data. For international data transfers from the EU to the U.S., this means that even the conclusion of SCC would not provide an adequate level of data protection. In particular, various surveillance measures by U.S. Federal Authorities and a lack of legal protection for data subjects could lead to the conclusion that there is no adequate level of data protection in the U.S.A. (even though SCC have been concluded and complied with by the parties processing relevant personal data).
IV. No need for the ECJ to declare Decision 2010/87/EU invalid
In conclusion, the Advocate General sees no reason for the ECJ to declare Decision 2010/87/EU - in the present case - invalid. The Decision 2010/87/EU does not violate various European fundamental rights.
For one thing, the fact that federal or state authorities are not bound by SCC (which they are not a party to) is not sufficient to assume that European fundamental rights are violated. Federal or state authorities can impose obligations on the data recipient (“importer”). It is possible that the importer, if he observes these obligations, may in turn violate his obligations to the data transmitter (“exporter”). This mere fact alone does not justify the invalidity of the Decision 2010/87/EU.
On the other hand, the question is if there are sufficient legal tools in place in order to react to such a case (without at the same time declaring the current system of the SCC completely invalid). DPA have various powers in accordance with Article 58 (2) GDPR. Among other powers, they can temporarily or permanently restrict the exporter’s data transfer to the importer (please see Article 58 (2) (f) GDPR). A DPA could use this power, if an importer – as a result of an administrative and/or court order in a third country – is caught between a rock and a hard place: either to comply with such an order or with his obligations under the SCC.
By having such a power, the fundamental rights of affected data subject can be safeguarded in individual cases without having to declare Decision 2010/87/EU invalid.
In the view of the Advocate General Decision 2010/87/EU should remain valid. Companies could therefore continue to use SCC in the future. In specific individual cases, a DPA could take measures to prevent certain data transfers to a third country. A DPA should, if necessary, consult with the European Data Protection Board before imposing such a ban. The Advocate General does not call into question the fundamental system of SCC as one way to justify international data transfers.
The judges of the ECJ are not bound by the opinion of an advocate general. However, they regularly follow the opinion of an advocate general. It remains to be seen how the judges will answer the questions in Schrems II, particularly in the light of various procedural questions that are relevant for certain procedural directions.
Irrespective of the present preliminary ruling procedure, another pending case at the ECJ may lead to a readjustment of international data transfers with regard to the U.S.A. The subject matter of the proceedings in “La Quadrature du Net and Others v Commission” (case T-738/16) is the question whether or not the EU Commission’s implementing decision (EU) 2016/1250 of 12 July 2016, on the applicability of the EU-US Privacy Shield, violates certain European fundamental rights. The Advocate General refers to this procedure several times.
SCC are relatively easy to apply in practice. A factor that will also become relevant from a data protection perspective in the upcoming BREXIT.
Caution is advised. If we think the Advocate-General's opinion (in particular in paragraphs no. 121 et seq.) further – and if this opinion is adopted by the ECJ on the relevant merits – the current system of safeguards regarding international data transfers is called into question.
Following the Advocate General’s opinion, Decision 2010/87/EU would still be valid. A DPA could prohibit corresponding international data transfers in individual cases, if the DPA identifies possible deficits with regard to an adequate data protection level in a certain third country. This could lead to a situation where SCC could no longer be applied to certain third countries (or perhaps to parts of them), although Decision 2010/87/EU (still) remains valid.
This calls into question the system of safeguards regarding international transfers in accordance with Article 44 et seqq. GDPR. A company could no longer rely on the fact that it has complied with the relevant data protection requirements by concluding (and complying with) SCC (please see Article 46 (2) (c) GDPR). A DPA could nevertheless prohibit international data transfers due to factors outside of the importer’s and exporter’s sphere of influence. As a result, safeguards in the sense of international data transfers between private companies would no longer be suitable for creating legal certainty for those companies. Structural data protection deficits – from a European DPA’s perspective – in a third country would, for example, also call into question BCR. The purpose of safeguards regarding international data transfers would vanish.
This would enable a DPA to act with a power that an administrative authority or agency usually does not have under the principle of separation of powers. It could de facto eliminate the applicability of a (still) valid legal act (here: Decision 2010/87/EU) by consistently prohibiting international data transfers on the basis of this (still) valid legal act. Furthermore, a DPA has to act in accordance with the principle of self-commitment of the administration and the general principle of equality. Therefore, once a DPA sets a tone for a specific third country, this DPA might have to handle cases with regard to this country in a similar way.
The opinion of the Advocate General would be a Pyrrhic victory for companies that want to use SCC in order to comply with the corresponding GDPR requirements. The principle that companies can use SCC as a safeguard for international data transfers could turn into the exception.