BLOG -


CJEU hears oral arguments in Schrems II: Privacy Shield and SCCs invalid?

On the 9th July 2019 the Court of Justice of the European Union heard oral arguments from the various parties and interveners in case C-311/18 as Austrian lawyer Max Schrems once again squares off against Facebook. The Court is being shepherded by the Irish Data Protection Commissioner ("DPC") into making another potentially seminal decision on personal data transfers, which could have wide ranging effects for the viability of data transfers not just between the EU and the USA, but between the EU and most of the rest of the World.

Data transfers and Standard Contractual Clauses

Schrems is seeking to challenge Facebook's transfer of personal data from the EU to the USA under the guise of Standard Contractual Clauses ("SCCs"). Schrems has form for holding the social media giant to account for its handling of personal data and has already lent his name to a ground-breaking judgement of the CJEU which led to the abandoning of the Safe Harbour framework and its replacement with the Privacy Shield. He had filed complaints with the DPC in 2011 pertaining to the transfer of personal data by Facebook from Ireland to the USA, which he subsequently withdrew in 2014 citing lack of a fair process. He now finds himself arguing before the CJEU once more after re-filing those initial complaints. The DPC refused to make a decision on the SCCs relied upon by Facebook, instead referring the matter to the Irish courts which have, in turn, referred preliminary questions on EU law to the CJEU.

Transfers of personal data to a third country outside of the EU need to comply with Art. 44 to Art. 50 GDPR. Accordingly, they must either be to a country subject to an adequacy decision from the European Commission (e.g. Israel, Japan, New Zealand) or use appropriate safeguards within the meaning of Art. 46 GDPR. Amongst the appropriate safeguards provided for by Art. 46 are SCCs. Schrems has challenged Facebook's use of SCCs to transfer personal data to the USA, primarily because of the mass collection of personal data by US authorities which was exposed by Edward Snowden in 2013. He argues that the clauses relied upon by Facebook for the data transfer were not actually compliant with the SCC decisions. Additionally, in his submissions to the Irish High Court he argued that Art. 4 (1) of SCC Decision 2001/497/EC enables and requires the DPC to prevent data transfers in individual cases involving the use of SCCs where the law to which the data importer is subject does not provide adequate safeguards.

DPC forcing the Court's Hand?

The DPC has placed the CJEU in the unenviable position of having to decide on the admissibility of SCCs not just on the facts of the particular case, but also generally as a means of ensuring a proper level of data protection when transferring personal data to third countries outside of the EU. By refusing to decide on the admissibility of Facebook's SCCs in the particular case and instead seeking a ruling on the admissibility of SCCs as a means of affording adequate data protection levels in the abstract, the DPC has placed the CJEU in a precarious position. This may even result in the CJEU striking down a vital method for ensuring appropriate safeguards for the transfer of personal data where there is not (yet) a Commission adequacy decision in place for the respective recipient third country. This would have effects beyond the transfer of personal data between the EU and US, as SCCs are heavily relied upon for data transfers worldwide.

Bizarrely, in so doing the regulator has gone much further than even Schrems had anticipated. The Austrian lawyer had never intended to challenge the admissibility of SCCs per se, but merely objected to their use in the particular circumstances given the sweeping surveillance laws to which US companies are subject. He had also not even expected all data transfers to the US using SCCs to cease; he differentiates between Electronic Communications Service Providers which are subject to FISA courts and other businesses which are not subject to American surveillance laws in the same manner. The DPC accordingly came in for some heavy criticism for referring the question and refusing to decide the case by itself from an odd alliance comprised of Schrems, industry lobbyists, national governments, the European Commission and the European Data Protection Board. As was noted by Schrems imself, it's "not often that (as a consumer) you agree with the industry more than with the regulator".

What to expect and steps to take

An advisory Opinion from the Advocate General can be expected in December 2019, with the decision due next year. If the CJEU were to strike down the SCCs it would be a drastic and rather unexpected step. However, it remains a distinct possibility. It is also possible that the Court may keep SCCs intact but hold that their use to transfer personal data specifically to the USA is problematic, thereby requiring the DPC and other supervisory authorities across Europe to evaluate their use more carefully on a case-by-case basis.

Therefore controllers transferring personal data outside of the EU relying on SCCs should consider other options as an alternative where possible. Corporate groups may take advantage of Binding Corporate Rules, whilst other controllers may instead seek to rely on other bases for the transfer under the "derogations for specific situations" provided in Art. 49 GDPR, such as informed consent or necessity for the performance of a contract. Of course, these derogations are not suitable for all transfers, especially where these transfers are repetitive or concern many data subjects.

Most importantly, controllers must make themselves aware of exactly which data they transfer, to which countries and using which safeguards. This will enable them to be proactive in their response once the Advocate General indicates how the Court will likely decide.

If you have any questions regarding this topic, please feel free to contact Dr Axel von Walter and Sam Cross, LL.M.

TAGS

Data Protection Data Protection Law Information Technology & Telecommunication Law Information Technology, Telecommunication Privacy Shield