20 January 2020
– 1 of 3 Insights
AG advises CJEU to hold SCC Adequacy decision valid.
The transfer of personal data from the EU to third countries and, in particular, to the USA, has been under the spotlight since the shock decision to invalidate the Safe Harbor Adequacy Decision. Safe Harbor was replaced by the EU-US Privacy Shield but doubts have lingered over the adequate protection of data transferred to the USA, whether the transfer takes place under the Privacy Shield or under an alternative transfer mechanism like Standard Contractual Clauses (SCCs).
Max Schrems, the claimant in the Safe Harbor decision, has continued to pursue this issue and the latest twist in the tale has been a referral to the CJEU which questioned the validity of the SCC Adequacy Decision and, potentially of the Privacy Shield Decision as well.
The Advocate General has advised the CJEU to hold that the Adequacy Decision which underpins the use of EC Standard Contractual Clauses (SCCs) is valid. This means that SCCs can continue, in general, to be used as a mechanism to enable the lawful export of personal data from the EEA to the USA and, of course, to other third countries around the world.
The AG said that the sole task in this case was to assess the validity of the SCC Adequacy Decision and he was not obliged to consider the validity of the Privacy Shield (although he did examine it in the alternative and half the Opinion deals with questions about its validity). The substantive part of the Opinion, however, focuses on the effectiveness of SCCs as a transfer mechanism, rather than on the lawfulness of data transfers to particular third countries and particular businesses. Specific case by case decisions regarding transfers under SCCs need, says the AG, to be addressed by the exporter and, if the exporter fails to do so, by the relevant Supervisory Authority (SA).
The decision will come as a relief to many global businesses, especially US businesses importing EEA personal data, as well as to EEA exporters. It will also make it easier for UK businesses to prepare for Brexit in the event that there is no adequacy arrangement in place between the UK and EEA at the end of transition. AG Opinions are not binding but the CJEU follows them in the majority of cases. We now await the CJEU judgment in the matter to confirm the position.
Having said that, while the Opinion is good news in the short term, it does little to lay to rest continued doubts over the extent to which access to EU data by the US intelligence authorities means personal data transferred to the USA can ever be adequately protected. An upcoming case will look specifically at the validity of the EU-US Privacy Shield Decision and we may yet see further references to the CJEU relating to the Schrems application on SCCs before the Irish Data Protection Commissioner makes a decision about whether to suspend or prohibit specific data transfers.
Ongoing doubts about certain data transfers (particularly but not exclusively to the USA), put businesses in a difficult position. One possible direction of travel is an uptake of Binding Corporate Rules (BCRs). These are rules which can be used for intra-group data transfers once they have been individually approved by the appropriate regulator. In theory, if a regulator has approved a set of transfers, a compliant business is less likely to run into problems.
BCRs have historically been seen as a more gold-plated solution with a perceived downside in terms of greater expense and time to implement than other available transfer solutions and, of course, they are only suitable for intra-group transfers. Only around 30 sets have been approved by the ICO to date. Applications for BCRs may, however, now be seen as a more attainable goal for businesses which have taken their GDPR compliance and accountability obligations seriously, as there will be less of a 'jump-up' to a baseline previously seen as much higher than standard, or even well beyond reach. While the time it takes to receive approval could be seen as problematic, it may become less of an issue given that demonstrable compliance is the new normal.
Although we think it unlikely (but not impossible) that the CJEU will find the SCC Adequacy Decision invalid in this application, data transfers to particular countries and businesses remain a problem, and so do the mechanisms which authorise them. Businesses can take some comfort from the fact that regulators were pragmatic about enforcement after Safe Harbor collapsed, but neither this Opinion, nor the judgment which will follow it, seem likely to provide final resolution.
The AG says that the CJEU should find that nothing in the analysis of the questions referred for a preliminary ruling affects the validity of the SCC Decision. He opines that:
A number of the questions referred to the CJEU in this case relate to whether and to what extent, the EU-US Privacy Shield Adequacy Decision establishes that appropriate safeguards are provided for in the USA against interference by US intelligence authorities with the fundamental rights of EU citizens and provides for effective judicial redress.
The AG considers that these issues are not substantive in this case and although analysis might be helpful to the Irish Data Protection Commissioner at a later stage when considering whether or not to suspend or prohibit data transfers, says it would be "premature to resolve them in the present case". The Irish Supreme Court had also said that the only substantive issue raised before the Irish High Court and the CJEU, was the validity of the SCC Decision.
The AG's view is that questions relating to the Privacy Shield Decision were referred because the referring court had assumed that the validity of the SCC Decision would depend on the level of protection of fundamental rights provided for in each third country to which personal data is transferred under SCCs. The AG considers this is incorrect; examination of the law of the third country is only relevant when the Commission adopts an Adequacy Decision or when the data controller, or failing that, the competent SA, has to consider whether the law of the third country imposes obligations on the data importer which undermine the effectiveness of protection provided by the safeguards under which the data was exported.
The AG recommends that the CJEU follow his approach and conclude that this case is not about the validity of the Privacy Shield Decision, not least because the Decision is already the focus of an annulment action in a separate case. He goes on to suggest that if the Irish Data Protection Commissioner finds she cannot make a decision on the Schrems complaint unless the CJEU says the Privacy Shield Decision does not prevent her from making one, then she can make a further application to the national courts so they can make an additional reference on the subject to the CJEU.
Having said that he doesn't need to consider the validity of the Privacy Shield Decision, the AG then goes on to do exactly that "in the alternative and with certain reservations" on a non-exhaustive basis, in case the CJEU disagrees with his assessment about the relevance of the Privacy Shield Decision in this reference. The AG says that while an Adequacy Decision is binding on an SA until such time as it is declared invalid, and an SA would not be able to suspend a data transfer on the grounds that the relevant third country does not provide adequate protection, the Privacy Shield Decision cannot prevent SAs suspending or prohibiting transfers outside its scope. In other words, it cannot prevent an SA suspending or prohibiting a transfer carried out under SCCs.
The AG suggests a review of the validity of the Privacy Shield Decision would require a "double verification":
Most of the AG's conclusions on the Privacy Shield Decision are expressed in terms of 'serious doubts' or 'concerns'. They centre on issues including:
In all these areas, the AG takes issue and concludes that "in light of the foregoing considerations, I entertain certain doubts as to the conformity of the 'privacy shield' decision to Article 45(1) GDPR, read in light of Articles 7,8 and 47 off the Charter and of Article 8 of the ECHR."
While the AG stops short of concluding that the Privacy Shield Decision should be found invalid, if the CJEU disagrees with him and does think it needs to consider its validity, the outcome of the final decision (which is expected in the first quarter of the year), could be more explosive than this Opinion suggests.
AG advises CJEU to hold SCC Adequacy decision valid
by Multiple authors
The Withdrawal Agreement Bill is progressing rapidly to enactment. What does it mean?
by Multiple authors
Cofemel – Sociedade de Vesuario SA v G-Star Raw CV – C-683/17
by multiple authors
by multiple authors