Companies, notably big U.S.-based technology firms, can breathe a sigh of a relief that the mechanisms they use to transfer data outside of the European Union to “third countries” provide sufficient privacy protection, according to a key advisor to the European Union’s top court.
Henrik Saugmandsgaard Øe, advocate general at the Luxembourg-based Court of Justice of the European Union (CJEU), wrote in a non-binding opinion last week that standard contractual clauses (SCCs) used for the transfer of personal data to processors based in countries outside of the European Union are “valid.”
The CJEU, which follows such recommendations in four out of five cases, will give its ruling during the first half of 2020.
The case marks a win for Facebook in its seven-year dispute with Austrian privacy activist Max Schrems, but also provides reassurance for thousands of other companies that using SCCs means they are in compliance with the EU’s General Data Protection Regulation (GDPR).
Schrems—who in 2015 successfully brought down the EU’s “Safe Harbor” data transfer regime with the United States—had argued Facebook’s use of SCCs did not offer sufficient data protection safeguards for EU citizens as data was transferred from the social media giant’s EU subsidiary in Ireland to its main business in the States. He argued the bloc’s current “Privacy Shield” arrangement is merely an update to the previous system and remains flawed and unlawful.
In a written statement, Facebook said: “We are grateful for the advocate general’s opinion on these complex questions. [SCCs] provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide. We look forward to the final decision from the CJEU.”
“This case had the potential to significantly increase the administrative burden on EU-based businesses transferring data internationally—a practice which is common across almost all sectors and sizes.”
Mark Thompson, Global Privacy Lead, KPMG
Lawyers and data experts believe the decision—although non-binding—is both likely to be accepted by the Court and provides assurance for companies generally (and Big Tech specifically) that they are in compliance with the EU’s stringent data rules.
Matthew Hall, an antitrust lawyer at law firm McGuireWoods, says that “this is an extremely important finding and will be a great relief to the numerous companies which make use of SCCs so as to allow the transfer of personal data outside the [European Economic Area] to affiliates and third parties. The advocate general essentially agrees that SCCs, assuming proper monitoring by companies using them and ultimately by the data protection regulators in the EEA, are appropriate and legal and do suitably protect personal data which is transferred out of the EEA, including to the U.S.”
Mark Thompson, global lead for professional services firm KPMG’s privacy advisory practice, believes there will be “a collective sigh of relief throughout the business community at the non-binding opinion.”
“This case had the potential to significantly increase the administrative burden on EU-based businesses transferring data internationally—a practice which is common across almost all sectors and sizes,” says Thompson. “This opinion reduces the likelihood of Privacy Shield and standard contractual clauses being revoked, allowing businesses to continue to rely upon these, and avoiding costly and time-consuming remediation.”
Several lawyers also point out the opinion will provide much greater reassurance and clarity to U.K. businesses that transfer data in and out of the European Union following the country’s Brexit preparations.
Reza Nezam, data protection solicitor and data protection officer at law firm Gibson & Associates, says that “the advocate general’s validation of standard contractual clauses is particularly important in relation to Brexit, as it will mean businesses can rely on the clauses to transfer data from the EU to the U.K.”
Helen Goldthorpe, associate and commercial and IT lawyer at law firm Shulmans, agrees that “this ruling is particularly important for organizations in the United Kingdom that wish to continue transferring data to and from Europe after Brexit, whose European partners and suppliers might have had to put data transfers on hold had the standard contractual clauses been invalidated.”
Takeaways for compliance
The advocate general’s non-binding opinion does also include some points compliance officers should take note of and that Schrems has also backed.
Firstly, while his opinion says data transfers between the European Union and United States are valid, it also raises concerns about the ongoing suitability of the Privacy Shield framework, suggesting the mechanism may need to be reviewed or revised in the near future. Jon Belcher, data law specialist at law firm Blake Morgan, believes these signs could mean that “data transfers to the U.S. may become much more difficult in the future”.
Secondly, the advocate general also made it clear organizations’ reliance on SCCs does not necessarily guarantee compliance unless effective monitoring also takes place—both by companies and regulators.
Specifically, the advocate general makes it clear SCCs are only valid to the extent transfers based on the SCCs are suspended or terminated where those clauses are breached or are impossible to honor (due to the law of the country to which the data is sent).
According to Hall, this means an exporter of data must suspend or terminate transfers when the importer cannot comply with the SCCs. If the company that is transferring the data fails to act in such a situation, the supervisory authority (i.e., the data protection regulator in the EEA country in question) must do so.
Lawyers believes consistent compliance and monitoring are therefore essential. Emma Erskine-Fox, associate in the technology and intellectual property team at U.K. law firm TLT, says that “while controllers can continue to rely on SCCs as a valid mechanism of transferring data to recipients outside the EEA, they cannot simply sign the SCCs only to put them in a drawer to be forgotten about.”
“Businesses that rely on the SCCs still need to assess whether the recipient can comply with the clauses in relation to each particular transfer, as well as suspend transfers when that is not the case,” adds Bridget Treacy, partner and head of the U.K. privacy and cyber-security practice for U.S. law firm Hunton Andrews Kurth.