On December 19, 2019, the Court of Justice of the European Union (CJEU) published the non-binding opinion of Henrik Saugmandsgaard Øe, the European Union Advocate General. This opinion concerned the case Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems. The case, commonly known as Schrems II, concerns the validity of Standard Contractual Clauses (SCCs), which facilitate the transfer of personal data to third countries in the absence of an adequacy decision by the European Commission.”
The Opinion clarifies that Schrems had claimed the clauses in Facebook’s data transfer agreement were not consistent with the SCCs set out in Decision 2010/87|EU and that those SCCs could not justify the transfer of his personal data to the United States. Furthermore, the Opinion outlines the AG’s findings that the case had no effect on the validity of Decision 2010/87 and highlights the obligation on data controllers and supervisory authorities to suspend or prohibit data transfers when it is not possible to comply with SCCs, due to a conflict between the obligations and those under the third country of destination’s legislation.
What is the validity of the SCC decision?
According to the AG, the compatibility of the SCC Decision with the EU Charter of Fundamental Rights depends on the existence of sufficiently sound mechanisms that, on a cases by case basis, ensure that transfers based on SCCs are suspended or prohibited if those clauses are breached or cannot be honored.
The AG’s view explains that the SCC Decision puts an obligation first on controllers and second on Data Protection Authorities to suspend/prohibit a transfer when an SCC cannot be honored, due to a conflict between the obligations of the SCCs and the obligations of the law of the third-country of destination.
What does this mean in practice?
The AG advises that SCCs are valid under EU law and allow international data transfers on its basis. However, transfers based on SCCs to a particular data controller in a third country that does not ensure sufficient protections have to be suspended by the controller; if the controller fails to do so, the Data Protection authority has to suspend the SCC at the request of a data subject raising a valid concern.
What is the validity of Privacy Shield?
The AG advised the CJEU not to give an answer to the Irish Supreme Court on the validity of the EU-US Privacy Shield framework. His view is that the validity of Privacy Shield is not relevant to solving the Schrems II case.
However, he stated that if the court were to give an opinion, there are reasons to question the validity in light of the right to respect for private life and to an effective judicial remedy.