The General Data Protection Regulation (GDPR) provides that personal data may only be transferred to a country outside the European Economic Area (EEA) if that country ensures an adequate level of protection for personal data. Although this was also the long-held position under the previous Data Protection Directive, many international organizations only focused on cross-border data transfer arrangements once the GDPR had increased sanctions for non-compliance.
Unless the European Commission (Commission) has made a so-called “adequacy decision” that a particular non-EEA country offers adequate protection, data controllers must implement appropriate safeguards, such as certification under the EU-U.S. Privacy Shield, binding corporate rules or data transfer agreements incorporating standard contractual clauses (SCCs), which were approved by the Commission in 2010. Given the relative speed and simplicity of entering into SCCs, many U.S. companies rely on SCCs to validate data transfers to the U.S..
Facebook is one of those companies. The social media and technology company has been involved in a seven-year battle with data privacy activist Max Schrems over the legality of its data transfer arrangements. On December 19, 2019, the EU’s Advocate General (AG) published an opinion on the validity of the Commission’s decision to approve SCCs, which gives some comfort to the many U.S. businesses that rely on this mechanism.
Mr. Schrems requested Facebook to identify the legal bases for transferring Facebook users’ personal data from the EU to the United States. Facebook Ireland transfers Facebook’s EU data to Facebook Inc.’s U.S.-based servers. Facebook Inc. acts as the processor for Facebook Ireland, under a data transfer agreement, incorporating controller-to-processor SCCs.
Mr. Schrems brought a complaint with the Irish data protection authority (the Irish Data Protection Commission (Irish DPC)), Facebook Ireland’s EU data protection supervisory authority, arguing that the SCCs could not justify Facebook’s transfer of personal data as the laws and practices of the U.S. do not offer sufficient protection against surveillance by U.S. public authorities. Hence, Mr. Schrems argued, the SCCs do not provide an effective remedy in the U.S. for him or others to protect their privacy rights. After Mr. Schrems asked the Irish DPC to suspend the application of the controller-to-processor SCCs, the Irish DPC referred his complaint to the Irish High Court, which requested a preliminary ruling by the Court of Justice of the European Union (CJEU).
The AG’s Opinion
The role of an AG is to assist the CJEU by considering submissions to the court in cases that raise a new point of law and to deliver an impartial opinion to the court on the legal solution. While free to take a different view, the CJEU often follows AG opinions when delivering its definitive judgments. The AG considered that it is the purpose of a Commission “adequacy decision” to determine whether the laws and practices of a particular non-EEA country provide an adequate level of data protection. By way of contrast, the validity of a decision on the appropriateness of additional safeguards such as the SCCs depends primarily on the soundness of those specific safeguards. In other words, appropriate safeguards implemented by a data exporter (i.e., the SCCs) provide a general mechanism for transfers outside the EEA. These will apply irrespective of, and in most cases are unaffected by, the general level of protection provided by the non-EEA country to which the personal data is transferred.
Against this background, the AG considered the validity of the SCCs and ultimately did not find any reason to challenge the Commission’s approval of the SCCs. A key consideration informing the AG’s decision was whether there are sufficiently sound mechanisms to ensure that transfers based on SCCs are suspended or prohibited where the SCCs are breached or cannot be complied with in a non-EEA country. In the AG’s view, this was the case under the GDPR since there is an obligation to suspend or prohibit a transfer when SCCs cannot be complied with due to a conflict between the obligations arising under the SCCs and those imposed by the law of the non-EEA country. This obligation rests on data controllers and, where those data controllers fail to act, on the relevant EU supervisory authorities.
Implications for International Transfers and Next Steps
AG opinions are not binding on the CJEU but are generally followed. The AG’s opinion therefore provides some reassurance to international organizations that rely on the controller-to-processor SCCs. Therefore, U.S. businesses, as things stand right now, do not need to worry that data transfer agreements are no longer valid.
However, the basic premise on which the opinion rests is that conflicts between the laws of the country of the data importer and EU laws will need to be assessed by the data exporter in the context of each particular transfer. Equally, data importers (under the terms of the SCCs) must inform the exporter of any inability to comply with the terms of the SCCs in order to allow the exporter to suspend the data transfer or terminate the SCCs. It therefore places a significant amount of responsibility on the parties to the SCCs, in particular the data controller. The extent to which controllers will need to proactively manage data transfers to discharge these responsibilities remains to be seen.
Many organizations have focused on implementing a paper trail of data transfer agreements, without necessarily reviewing the substantive data transfer arrangements or the laws of the countries in which the data-importing processors are based. Therefore, pending the decision of the CJEU, organizations should revisit their data maps and records of processing activities to review their international data flows and their agreements with non-EU data processors.
The AG’s opinion was limited to the validity of the Commission Decision of 2010 approving the SCCs, and the AG did not consider it necessary to rule on the validity of the Privacy Shield decision. This is subject to separate ongoing proceedings brought by a French digital rights and privacy advocacy group, La Quadrature du Net. However, the AG did express reservations regarding the level of protection under U.S. law with respect to the electronic communications surveillance activities carried out by U.S. intelligence authorities. In particular, the AG questioned whether the Privacy Shield provides (in the form of the Ombudsperson) individuals with an effective remedy before an independent and impartial body in respect of their privacy rights. The combined developments mean that data transfer issues will be close to the top of the list of data privacy compliance concerns for many U.S. businesses in 2020.