Privacy and Data Transfers: X-raying the Schrems-Facebook case
The legality of standard contractual clauses
27 January 2020
On 19 December 2019, Advocate General (AG) Henrik Saugmandsgaard Øe of the Court of Justice of the EU (CJEU) expressed his Opinion on the case Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, referred to throughout as “Schrems II”). The case has received a great amount of attention and raises a significant number of questions regarding the regulation of international data transfers under EU data protection law.
There has been a great sense of relief and appreciation from the international community after the publication of the opinion of the Advocate General of the European Court of Justice, Henrik Saugmandsgaard Øe, in relation to the second "episode" of the dispute between Max Schrems and Facebook on the validity of the transfer of personal data outside the European Union.
Background: EU-US data transfers under attack … again
Privacy lawyers clearly remember Max Schrems for causing many sleepless nights following the invalidation by the European Court of Justice of the Safe Harbor programme for the transfer of personal data to the United States. The invalidation had forced U.S. companies to promptly adopt "standard contractual clauses" (SCCs) approved by the European Commission to regulate the transfer between controllers and order data processors.
Schrems has now challenged the validity of the SCCs, alleging that the protections provided by them can be reduced or completely eliminated if the law of the country to which the personal data is transferred includes obligations that are contrary to the provisions of the SCCs.
This aspect is extremely important because, if the SCCs were to be invalidated, the transfer of personal data within the context of data processing to countries that are not considered by the European Commission to provide adequate protection for personal data would be almost completely stopped. In fact, the only alternatives that would remain would be: the "Privacy Shield" for transfers only in the United States – which could be challenged on the basis of the same arguments used against the SCCs ; and the so-called binding corporate rules for intra-group transfers which typically have quite long approval times.
For this reason, the Advocate General's opinion on the case now labelled Schrems II that SCCs should not be invalidated was applauded by the market. The ball is now in the European Court of Justice's court and it remains to be seen if the Court will confirm the Advocate General's interpretation and if that will be the last episode of the data transfers saga.
SCCs are valid, but a case-by-case assessment of each data transfer remains necessary, the Advocate General says
Advocate General Henrik Saugmandsgaard Øe has concluded that SCCs comply with the GDPR or in general with European legislation on the processing of personal data, although a case-by-case assessment is necessary in relation to each transfer of personal data regarding the existence of adequate protection with respect to the transferred data. Assessing the validity of the SCCs is therefore not only a question of compatibility of the foreign legislation with European legislation on the processing of personal data, but an assessment of each transfer.
According to the Advocate General, if the data controller is informed by the data importer, i.e. the data processor, that compliance with the SCCs is not possible due to applicable law, the data controller not only has a right but an obligation to suspend the data transfer. The same applies if the data controller is informed by a supervisory authority of such non-compliance. Therefore, the AG stated that data controllers should conduct a detailed examination of "all the circumstances characterizing each transfer" when using the SCCs. This examination may include consideration of the criteria that the Commission is required to assess under Article 45(2) GDPR when considering whether to issue an adequacy decision (para. 135), such as the rule of law and respect for human rights in the country of transfer.
However, one can ask whether commercial data controllers are qualified to assess such factors, a point that has led to controversy concerning the role of data controllers in balancing rights under the Court’s Google Spain judgment (Case C-131/12), and that of social media platforms with regard to removing online content under its recent Glawischnig-Piesczek v Facebook judgment (Case C-18/18).
This method would also entail a risk of inconsistency in the approach between the different national privacy authorities which is only reduced by the presence of the 'one stop shop' mechanism foreseen by the GDPR. Likewise, the suspension or blocking of the transfer of personal data would have no effect when compared to data already transferred for which the only available remedy would be compensation for damages.
All the above considered, the Advocate General concluded that a pragmatic approach is to be preferred, therefore the abovementioned arguments should not be sufficient to conclude that the SCCs are invalid.
In the aftermath of the Opinion:
Consistency among EU Member States' approach remains a distant goal
The pragmatic approach the Advocate General envisages could, in principle, open the door to further inconsistency within the European Union on the rules relating to the processing of personal data. Less than two years after the beginning of the applicability of the GDPR, we still are at a stage where the aim to ensure greater consistency in the European framework on the rules on the processing of personal data has been undermined by rather different approaches on the part of national legislators and privacy authorities.
The hope (especially for Tech companies) is that the European Court of Justice will not only confirm the validity of the SCCs, but also give detailed instructions as to the cases in which they cannot be used, in such a way as to avoid a paralysis of the worldwide market which is increasingly based on the transfer of personal data.
A call for data controllers' accountability and Data Protection Authorities' overview
The Opinion combines a meticulous and thorough analysis of the legal issues with an eye for the larger questions involved, such as the case’s international implications.
The Advocate General refrained from advocating sweeping action (such as invalidating the SCCs or the Privacy Shield) and sought instead to ensure protection of data transfers under the SCCs by strengthening the obligations of both data controllers and data processing authorities (DPAs):
- With regard to data controllers, this means that they are required to suspend any data transfer to a data processor once they are informed by the data importer that the local law prevents the data importer from complying with the SCCs.
- DPAs should suspend data transfers under the SCCs in cases where they find that there is a lack of protection.
In effect, the above allocation of roles results in controllers and DPAs sharing responsibilities for the transfer between the two, with data controllers ensuring protection before the transfer has been carried out (or where legal circumstances change during the transfer), and the DPAs doing so afterwards.
By finding that DPAs must suspend transfers when data protection is not ensured, the Opinion would appear to increase the pressure on the Irish Data Protection Commissioner (DPC) to take some kind of enforcement action against Facebook. The DPC has been criticised for failing to sanction Facebook earlier, but given the Court’s insistence in the first Schrems case on questions concerning adequacy being referred to it, one can understand the DPC’s reluctance to take action before questions of such fundamental importance were clarified by the courts, which also has the advantage of fostering legal harmonisation.
What's next for international data transfers?
The outstanding question now is whether the Court of Justice will follow the conclusion and recommendations of the Advocate General with regard to the two issues of greatest practical and political significance, namely the validity of the SCCs and of the Privacy Shield. The Advocate General’s decision not to invalidate the SCCs seems to be based largely on strategic and procedural considerations on which the Court could take a different view if it wants, and one cannot help but recall Google Spain, where AG Jääskinen struck a balanced tone in his opinion concerning the “right to be forgotten” that was not followed by the Court in its judgment. Thus, the SCCs are not “out of the woods” yet.
Concerning the Privacy Shield, the Advocate General’s criticisms seem to indicate that it may be living on borrowed time: The Advocate General did find several important deficiencies in the Privacy Shield, raising doubts as to whether it would be upheld should the Court of Justice wish to opine on it, either in the final judgment of Schrems II or elsewhere (and it should be remembered that La Quadrature du Net, Case T-738/16, which seeks annulment of the Privacy Shield, is currently pending in the General Court). Thus, the Court's judgment can be eagerly awaited as likely representing a milestone in the law of international data transfers.
Filippo Maria Volpini, Legal Intern, contributed to the writing of this article.