Advocate General Henrik Saugmandsgaard Øe questions transfers to third countries
Back to Technology Law Committee publications
Stefan Peintinger
SKW Schwarz, Munich
s.peintinger@skwschwarz.de
On 19 December 2019 the Advocate General of the Court of Justice of the European Union (CJEU) Henrik Saugmandsgaard Øe published his opinion in the case Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (case C-311/18 or Schrems II). Companies transferring personal data to countries outside of the EU (also known as ‘third countries’, or ‘international data transfers’) should pay particular attention to this case. In the future, a data protection supervisory authority (DPA) could prohibit international data transfers although Standard Contractual Clauses (SCCs) have been agreed on and complied with. This could also affect other safeguards in the context of international data transfers, for example Binding Corporate Rules (BCR).
This opinion is marked by several procedural questions as well as procedural directions. From a practical point of view, the following short-term key point is relevant:
The Advocate General recommends the CJEU continues to consider the decision of 5 February 2010 (2010/87/EU ‘Decision 2010/87/EU’) on the applicability of SCC to be lawful. The Advocate General sees no reason, regarding the present proceedings, to declare the Decision 2010/87/EU invalid.
Should the CJEU follow the Advocate General, companies can still use SCC to justify international data transfers. However, in the long-term, this principle could turn into an exception. If the CJEU agrees with the view of the Advocate General, a radical change with regard to international data transfers could follow. Companies might no longer rely on safeguards in accordance with the General Data Protection Regulation (GDPR) when transferring personal data to third countries. The Advocate General probably takes the view that a DPA can issue orders to suspend international data transfers in individual cases. Therefore, in future a DPA might ban international data transfers even though SCC have been agreed on and complied with because of a different data protection level in a specific third country.
Background
This case has a longer history. The starting point is a case filed by Mr Schrems with the Irish DPA.
In essence, Mr Schrems challenged the legality of the transfer of personal data by Facebook Ireland Ltd to Facebook Inc based in California (Schrems I). According to Mr Schrems, the (now invalid) Safe Harbour Agreement did not provide an adequate level of data protection in the United States. Among other things, US authorities could access the personal data of data subjects without the possibility of adequate legal remedies by those data subjects. The transfer of personal data on the basis of the Safe Harbour Agreement was therefore inadmissible. With the Schrems I decision, the CJEU declared the EU Commission's decision on the Safe Harbour Agreement of 26 July 2000, decision 2000/520/EC, invalid. The Schrems I decision accelerated the negotiations on the Privacy Shield which is currently valid.
Schrems I decision currently has no influence on SCC
The Decision 2010/87/EU on the applicability of SCC was not affected by Schrems I. This legal instrument could still be used for international data transfers. The EU Commission had formulated certain standard contractual clauses for international data transfers in Decision 2010/87/EU. If parties agree on these clauses, they are obliged to comply with certain protection requirements with regard to personal data. These obligations can be used to justify an international data transfer such as to transfer personal data from an EU-based company to one in the US. The SCC are, therefore, one way of justifying international data transfers.[1]
Key question in the Schrems II proceedings
Facebook Ireland Ltd uses SCC, concluded with Facebook Inc as justification for the corresponding international data transfers. Mr Schrems reworded his complaint, after he was informed by Facebook Ireland Ltd accordingly.
The key question of the referring court in the Schrems II proceedings is whether Decision 2010/87/EU violates certain European fundamental rights, protected by the European Convention on Human Rights.[2] Mr Schrems questions the validity of Decision 2010/87/EU in particular because of the limited binding effect of SCC. Only the parties agreeing on the SCC are bound by them. Consequently, for example, if two private companies conclude SCC, state or federal authorities would not be required to guarantee a certain level of protection with regard to personal data. For international data transfers from the EU to the US, this means that even the conclusion of SCC would not provide an adequate level of data protection. In particular, various surveillance measures by US Federal Authorities and a lack of legal protection for data subjects could lead to the conclusion that there is no adequate level of data protection in the US, even though SCC have been concluded and complied with by the parties processing relevant personal data.
No need for the CJEU to declare Decision 2010/87/EU invalid
In conclusion, the Advocate General sees no reason for the CJEU to declare Decision 2010/87/EU invalid (in the present case). The Decision 2010/87/EU does not violate various European fundamental rights.
The fact that federal or state authorities are not bound by SCC (which they are not a party to) is not sufficient to assume that European fundamental rights are violated. Federal or state authorities can impose obligations on the data recipient (‘importer’). It is possible that the importer, if they observe these obligations, may in turn breach their obligations to the data transmitter (‘exporter’). This mere fact alone does not justify the invalidity of the Decision 2010/87/EU.
On the other hand, the question is if there are sufficient legal tools in place in order to react to such a case, without at the same time declaring the current system of the SCC completely invalid. DPA have various powers in accordance with article 58(2) GDPR. Among other powers, they can temporarily or permanently restrict the exporter’s data transfer to the importer.[3] A DPA could use this power, if an importer (as a result of an administrative and/or court order in a third country) is caught between a rock and a hard place, either to comply with such an order or with their obligations under the SCC.
By having such a power, the fundamental rights of affected data subject can be safeguarded in individual cases without having to declare Decision 2010/87/EU invalid.
Conclusion
In the view of the Advocate, General Decision 2010/87/EU should remain valid. Companies could therefore continue to use SCC in the future. In specific individual cases, a DPA could take measures to prevent certain data transfers to a third country. A DPA should, if necessary, consult with the European Data Protection Board before imposing such a ban. The Advocate General does not call into question the fundamental system of SCC as one way to justify international data transfers.
The judges of the CJEU are not bound by the opinion of an advocate general. However, they regularly follow the opinion of an advocate general. It remains to be seen how the judges will answer the questions in Schrems II, particularly in light of various procedural questions that are relevant for certain procedural directions.
Irrespective of the present preliminary ruling procedure, another pending case at the CJEU may lead to a readjustment of international data transfers with regard to the US. The subject matter of the proceedings in La Quadrature du Net and Others v Commission (case T-738/16) is the question whether or not the EU Commission’s implementing decision (EU) 2016/1250 of 12 July 2016, on the applicability of the EU-US Privacy Shield, breaks certain European fundamental rights. The Advocate General refers to this procedure several times.
SCC are relatively easy to apply in practice. A factor that will also become relevant from a data protection perspective with Brexit.
Prospects
Caution is advised. If we think the Advocate General’s opinion, in particular in paragraphs 121 et seq is adopted by the CJEU on the relevant merits, the current system of safeguards regarding international data transfers is called into question.
Following the Advocate General’s opinion, Decision 2010/87/EU would still be valid. A DPA could prohibit corresponding international data transfers in individual cases, if the DPA identifies possible deficits with regard to an adequate data protection level in a certain third country. This could lead to a situation where SCC could no longer be applied to certain third countries, or perhaps to parts of them, although Decision 2010/87/EU still remains valid.
This calls into question the system of safeguards regarding international transfers in accordance with Article 44 et seq GDPR. A company could no longer rely on the fact that it has complied with the relevant data protection requirements by concluding (and complying with) SCC.[4] A DPA could nevertheless prohibit international data transfers due to factors outside of the importer’s and exporter’s sphere of influence. As a result, safeguards in the sense of international data transfers between private companies would no longer be suitable for creating legal certainty for those companies. From a European DPA’s perspective, structural data protection deficits in a third country would, for example, also call into question BCR. The purpose of safeguards regarding international data transfers would vanish.
This would enable a DPA to act with a power that an administrative authority or agency usually does not have under the principle of separation of powers. It could de facto eliminate the applicability of a still valid legal act,[5] by consistently prohibiting international data transfers on the basis of this still valid legal act. Furthermore, a DPA has to act in accordance with the principle of self-commitment of the administration and the general principle of equality. Therefore, once a DPA sets a tone for a specific third country, this DPA might have to handle cases with regard to this country in a similar way.
The opinion of the Advocate General would be a pyrrhic victory for companies that want to use SCC in order to comply with the corresponding GDPR requirements. The principle that companies can use SCC as a safeguard for international data transfers could turn into the exception.
Notes
[1] GDPR, Article 46(2) (c).
[2] See question 11, paragraph 76 of the opinion.
[3] GDPR, Article 58(2) (f).
[4] GDPR, Article 46(2) (c).
[5] Decision 2010/87/EU.