AG advises CJEU to hold SCC Adequacy decision valid.
What's the issue?
The transfer of personal data from the EU to third countries and, in particular, to the USA, has been under the spotlight since the shock decision to invalidate the Safe Harbor Adequacy Decision. Safe Harbor was replaced by the EU-US Privacy Shield but doubts have lingered over the adequate protection of data transferred to the USA, whether the transfer takes place under the Privacy Shield or under an alternative transfer mechanism like Standard Contractual Clauses (SCCs).
Max Schrems, the claimant in the Safe Harbor decision, has continued to pursue this issue and the latest twist in the tale has been a referral to the CJEU which questioned the validity of the SCC Adequacy Decision and, potentially of the Privacy Shield Decision as well.
What's the development?
The Advocate General has advised the CJEU to hold that the Adequacy Decision which underpins the use of EC Standard Contractual Clauses (SCCs) is valid. This means that SCCs can continue, in general, to be used as a mechanism to enable the lawful export of personal data from the EEA to the USA and, of course, to other third countries around the world.
The AG said that the sole task in this case was to assess the validity of the SCC Adequacy Decision and he was not obliged to consider the validity of the Privacy Shield (although he did examine it in the alternative and half the Opinion deals with questions about its validity). The substantive part of the Opinion, however, focuses on the effectiveness of SCCs as a transfer mechanism, rather than on the lawfulness of data transfers to particular third countries and particular businesses. Specific case by case decisions regarding transfers under SCCs need, says the AG, to be addressed by the exporter and, if the exporter fails to do so, by the relevant Supervisory Authority (SA).
What does this mean for you?
The decision will come as a relief to many global businesses, especially US businesses importing EEA personal data, as well as to EEA exporters. It will also make it easier for UK businesses to prepare for Brexit in the event that there is no adequacy arrangement in place between the UK and EEA at the end of transition. AG Opinions are not binding but the CJEU follows them in the majority of cases. We now await the CJEU judgment in the matter to confirm the position.
Having said that, while the Opinion is good news in the short term, it does little to lay to rest continued doubts over the extent to which access to EU data by the US intelligence authorities means personal data transferred to the USA can ever be adequately protected. An upcoming case will look specifically at the validity of the EU-US Privacy Shield Decision and we may yet see further references to the CJEU relating to the Schrems application on SCCs before the Irish Data Protection Commissioner makes a decision about whether to suspend or prohibit specific data transfers.
Ongoing doubts about certain data transfers (particularly but not exclusively to the USA), put businesses in a difficult position. One possible direction of travel is an uptake of Binding Corporate Rules (BCRs). These are rules which can be used for intra-group data transfers once they have been individually approved by the appropriate regulator. In theory, if a regulator has approved a set of transfers, a compliant business is less likely to run into problems.
BCRs have historically been seen as a more gold-plated solution with a perceived downside in terms of greater expense and time to implement than other available transfer solutions and, of course, they are only suitable for intra-group transfers. Only around 30 sets have been approved by the ICO to date. Applications for BCRs may, however, now be seen as a more attainable goal for businesses which have taken their GDPR compliance and accountability obligations seriously, as there will be less of a 'jump-up' to a baseline previously seen as much higher than standard, or even well beyond reach. While the time it takes to receive approval could be seen as problematic, it may become less of an issue given that demonstrable compliance is the new normal.
Although we think it unlikely (but not impossible) that the CJEU will find the SCC Adequacy Decision invalid in this application, data transfers to particular countries and businesses remain a problem, and so do the mechanisms which authorise them. Businesses can take some comfort from the fact that regulators were pragmatic about enforcement after Safe Harbor collapsed, but neither this Opinion, nor the judgment which will follow it, seem likely to provide final resolution.
Read more
The SCC Adequacy Decision (Decision 2010/87 as amended by Decision 2016/2297)
The AG says that the CJEU should find that nothing in the analysis of the questions referred for a preliminary ruling affects the validity of the SCC Decision. He opines that:
- EU law applies to transfers of personal data to a third country where those transfers form part of a commercial activity, even though the transferred data may be processed by public authorities of the third country for national security purposes.
- The purpose of a country-level Adequacy Decision is to find that the third country ensures an equivalent level of protection of fundamental rights as provided by the GDPR in light of the EU Charter of fundamental rights. While the requirements of protection of fundamental rights do not differ according to the legal basis for transfer, the way in which the required level of protection is maintained does differ. SCCs and other methods for conducting lawful transfers of personal data apply where no country-level Adequacy Decision has been made. The purpose of SCCs is to ensure both the exporter and importer provide a high level of protection where the safeguards available in the third country are inadequate. The appropriate safeguards provided by the data exporter, including by contractual means, must themselves ensure an adequate level of protection. SCCs provide a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
- The fact that SCCs are not binding on authorities in third countries and do not prevent those authorities from imposing conflicting obligations on importers, does not make the SCC Adequacy Decision invalid. The crucial factor is that there are sufficiently sound mechanisms in place to ensure that transfers based on SCCs are suspended or prohibited where those clauses are breached or impossible to honour. The AG believes these mechanisms are in place as there is an obligation on data controllers and, if they do not fulfil the obligation, on SAs, to suspend or prohibit a transfer when SCCs cannot be complied with due to a conflict with obligations imposed by the law of the importing third country. In addition, data subjects have enforceable rights and remedies under SCCs.Whereas the original SCC Adequacy Decision limited the powers of SAs to intervene, the revised version of the Decision which was amended following the Safe Harbor decision, does not limit the powers of SAs and confirms that they have the power to suspend or prohibit any transfer which they consider to be contrary to EU law, in particular where the importer does not respect SCCs. The AG also notes that under the GDPR, the exercise of powers to suspend or prohibit transfers is no longer merely an option left to the SA's discretion but an obligation which, if ignored, may be the subject of judicial action (Articles 58 and 57(1) GDPR).The AG recognises there may be practical difficulties as a result of potential divergence in the approach of SAs to comparable transfers but says not only does this not impact the validity of the SCC Decision, the GDPR provides for such situations through the consistency and cooperation mechanism and the role of the EDPB to resolve any disagreements.
The validity of the Privacy Shield Decision
A number of the questions referred to the CJEU in this case relate to whether and to what extent, the EU-US Privacy Shield Adequacy Decision establishes that appropriate safeguards are provided for in the USA against interference by US intelligence authorities with the fundamental rights of EU citizens and provides for effective judicial redress.
The AG considers that these issues are not substantive in this case and although analysis might be helpful to the Irish Data Protection Commissioner at a later stage when considering whether or not to suspend or prohibit data transfers, says it would be "premature to resolve them in the present case". The Irish Supreme Court had also said that the only substantive issue raised before the Irish High Court and the CJEU, was the validity of the SCC Decision.
The AG's view is that questions relating to the Privacy Shield Decision were referred because the referring court had assumed that the validity of the SCC Decision would depend on the level of protection of fundamental rights provided for in each third country to which personal data is transferred under SCCs. The AG considers this is incorrect; examination of the law of the third country is only relevant when the Commission adopts an Adequacy Decision or when the data controller, or failing that, the competent SA, has to consider whether the law of the third country imposes obligations on the data importer which undermine the effectiveness of protection provided by the safeguards under which the data was exported.
The AG recommends that the CJEU follow his approach and conclude that this case is not about the validity of the Privacy Shield Decision, not least because the Decision is already the focus of an annulment action in a separate case. He goes on to suggest that if the Irish Data Protection Commissioner finds she cannot make a decision on the Schrems complaint unless the CJEU says the Privacy Shield Decision does not prevent her from making one, then she can make a further application to the national courts so they can make an additional reference on the subject to the CJEU.
Having said that he doesn't need to consider the validity of the Privacy Shield Decision, the AG then goes on to do exactly that "in the alternative and with certain reservations" on a non-exhaustive basis, in case the CJEU disagrees with his assessment about the relevance of the Privacy Shield Decision in this reference. The AG says that while an Adequacy Decision is binding on an SA until such time as it is declared invalid, and an SA would not be able to suspend a data transfer on the grounds that the relevant third country does not provide adequate protection, the Privacy Shield Decision cannot prevent SAs suspending or prohibiting transfers outside its scope. In other words, it cannot prevent an SA suspending or prohibiting a transfer carried out under SCCs.
The AG suggests a review of the validity of the Privacy Shield Decision would require a "double verification":
- In the first place, whether the US ensures a level of protection essentially equivalent to that following from the GDPR and the EU Charter on Fundamental Rights, against the restrictions resulting from the application of s702 FISA (which allows the NSA to require communications providers to make personal data available to it). And
- In the second place, the provisions of the European Convention on Human Rights (ECHR) will be the relevant reference framework for evaluating EO12333 (which authorises intelligence authorities to collect personal data themselves without the assistance of private operators). The ECHR will also be the standard of comparison for assessing whether adequate protection is provided with respect to retention and use of the personal data for national security purposes.
Most of the AG's conclusions on the Privacy Shield Decision are expressed in terms of 'serious doubts' or 'concerns'. They centre on issues including:
- Whether the legal basis for interference with fundamental rights is sufficiently foreseeable to avoid being arbitrary.
- The extent to which interference is necessary and proportionate.
- Whether there are sufficient guarantees and safeguards to prevent abuse of any legitimate derogation from GDPR requirements for national security purposes.
- The existence of effective remedies for EU citizens and whether the Ombudsperson mechanism addresses any deficiencies.
In all these areas, the AG takes issue and concludes that "in light of the foregoing considerations, I entertain certain doubts as to the conformity of the 'privacy shield' decision to Article 45(1) GDPR, read in light of Articles 7,8 and 47 off the Charter and of Article 8 of the ECHR."
While the AG stops short of concluding that the Privacy Shield Decision should be found invalid, if the CJEU disagrees with him and does think it needs to consider its validity, the outcome of the final decision (which is expected in the first quarter of the year), could be more explosive than this Opinion suggests.
