Readers of these posts will be familiar with the ban, under Chapter V of GDPR, on exporting personal data outside the EEA except to approved third countries, or where other safeguards are put in place.
One of those safeguards is a set of European Commission approved contract clauses that can be put in place between the EU-based exporter of the data, and the overseas importer. The clauses effectively bind the importer to give individual data subjects rights to object to the importer’s use of the personal data. These standard clauses have been used extensively by businesses to permit intra-group and external cross-border sharing of personal data, where other safeguards are not applicable.
Readers will also recall activist Max Schrems, who brought proceedings in Ireland (against Facebook) to challenge the use of another safeguard mechanism for exports to the USA, the ‘Safe Harbor’ scheme. The challenge was successful, and forced the US and EU to agree new arrangements in the form of the ‘Privacy Shield’ introduced in 2015.
When the complaint was returned to the Irish privacy supervisor, Facebook then argued that their transfers were carried out using the standard clauses. This has led to a further court case in which Schrems argues that the standard contract clauses for export do not adequately protect the interests of data subjects whose personal data is transferred using them, and the case has (again) reached the Court of Justice of the European Union (CJEU). Interestingly the Irish court also asked the CJEU to consider whether the Privacy Shield arrangement met GDPR requirements.
Before the CJEU gives its decision, a court officer, the Advocate-General (AG), publishes an opinion, in which he or she recommends how the court decides the case. In the vast majority of cases, the full CJEU rules for the same party as recommended by the AG, although it is not obliged to do so.
AG Saumandsgaard issued his opinion in the Schrems II case on 19 December 2019[i]. His recommendation was that the CJEU should reject Schrems’ argument that the adoption of the standard clauses was invalid. He suggested, however, that they would only work as a mechanism if the controller/exporter was under an obligation to suspend the flow of data if it became clear that the law applicable to the data importer meant that it was impossible or unlawful to comply with the obligations contained in the standard clauses.
Although the AG said he thinks the CJEU should not decide anything about Privacy Shield, he went on to review the US intelligence gathering regime and said “..I entertain certain doubts as to the conformity of the Privacy Shield to … the GDPR”.
If the CJEU were to follow the AG’s opinion the standard clauses would remain a tool available to EU-based controllers/exporters, but arguably only in the short term, as individuals could ask supervisory authorities to rule that individual transfers could not rely on the benefit of the clauses where there was evidence to suggest that the importer could not in practice comply with the terms.
The CJEU’s decision is expected in March or April 2020.
[i] Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, case C-311/18, AG’s opinion 19.12.19 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62018CC0311&from=EN