The Court of Justice of the European Union Advocate General issued his much‑anticipated opinion in the case commonly known as “Schrems 2.0.”
The AG’s opinion is not legally binding. However, it is likely to influence the CJEU’s decision in the case, which is expected to be handed down during the first quarter of 2020.
The opinion addresses:
- the validity of the controller-to-processor standard contractual clauses as a legal basis for transfers of personal data from the European Union to the United States in light of certain national security laws to which US companies are subject; and
- the possible impact of those US national security laws on the validity of the EU-US Privacy Shield as a transfer mechanism.
What does the opinion say?
- Organizations acting as data exporters can still rely on the SCCs as a legal basis to effect transfers from the EU to third country data importers – however, they are obligated to prohibit or suspend those transfers where the SCCs cannot be complied with because of a conflict between the terms of the SCCs and the laws of the third country to which a data importer is subject.
- This position was reached as the AG concluded that the SCCs only remained valid due to the existence of an obligation on a data exporter (and, in the absence of appropriate steps by a data exporter, the competent supervisory authority) to prohibit or suspend transfers relying on the SCCs in the event of such a conflict with local laws.
- This means that data exporters and supervisory authorities need to run a case‑by-case analysis to determine whether or not the SCCs are appropriate in the context of individual transfers.
What would this mean if the opinion is followed?
For supervisory authorities
In the case at hand, it appears the Irish Data Protection Commission is likely to have to consider whether US national security legislation conflicts with the terms of the SCCs such that they cannot be used as a legal basis for the transfer in question.
If the CJEU follows the AG’s approach of delegating responsibility to the supervisory authority concerned, this seems to open the door to differing approaches to the use of the SCCs between different supervisory authorities, which could cause a meaningful reduction in harmonization around the EU.
For data exporters
Data exporters would be subject to an obligation to prohibit or suspend a transfer that relies on the SCCs if laws applicable to the data importer in question conflict with the SCCs in a way that means compliance with the SCCs becomes impossible.
This means data exporters would have to undertake complex, case-by-case analyses of the national laws applicable to data importers and whether they are compatible with the SCCs.
For data importers
In addition to the obligations on data exporters and supervisory authorities discussed above, it is worth recalling that the SCCs include:
- a warranty from the data importer that it has no reason to believe there are any conflicting local laws that would make its compliance with the data exporter’s instructions and/or the underlying contract impossible; and
- an ongoing commitment that the data importer will update the data exporter if the data importer becomes aware of a change in law which is likely to have a substantial adverse effect on the data importer’s compliance with the SCCs – in which case:
- the data exporter may suspend the transfer and/or terminate the underlying contract; or
- if the data exporter chooses to continue the transfer, the data exporter must notify the competent supervisory authority.
What to take into account when assessing potentially conflicting local laws
The AG noted:
- The following points should be considered by data exporters (and, by extension, data importers), and supervisory authorities when assessing potentially conflicting local laws applicable to data importers:
- the nature and purpose of the processing by relevant public authorities in the data importer’s country; and
- any applicable safeguards in the potentially conflicting law.
- The factors to consider may overlap with the factors that the commission must consider when determining whether or not to reach an adequacy decision in respect of a third country.
Privacy Shield called into question?
The AG noted there was no need to examine the validity of the EU Commission’s Privacy Shield decision in the case at hand, but that he entertained certain doubts as to validity of the Privacy Shield decision as a legal basis for transfers in light of the US national security laws discussed in the context of the SCCs’ validity.