On December 19, 2019, in the Facebook Ireland and Schrems (Schrems 2.0) case,1 the Advocate General (AG) to the European Court of Justice (ECJ)—European Union's highest court—opined that the EU Standard Contractual Clauses (SCCs) are a valid data transfer mechanism to export personal data from the European Economic Area (EEA) to third countries.
Businesses encountered major legal uncertainty when the EU-U.S. Safe Harbor mechanism was invalidated following the Maximillian Schrems vs. Data Protection Commissioner (Schrems 1.0)2 case in 2015. The SCCs are a data transfer mechanism relied on by thousands of companies to transfer personal data, and are critical to the flow of personal data globally. While the AG Opinion is not binding on the court, it is a significant development as it may indicate the direction of the final judgment in the case.
Background
In 2013, privacy activist Max Schrems filed a complaint with the Irish Data Protection Commissioner (the DPC) relating to transfers of data from the EU to the U.S. by Facebook Ireland following the Snowden revelations. Schrems alleged a violation of data protection rights as a result of suspected data sharing between U.S. companies and intelligence agencies. In 2015, the ECJ invalidated the EU-U.S. Safe Harbor adequacy decision, which allowed companies to export EU personal data to the U.S. under the EU-U.S. Safe Harbor framework, on the basis that it was not providing an adequate level of protection to EU personal data. Following this, many companies began relying on SCCs for EEA to U.S. transfers, and in 2016 the European Commission (EC) approved a new safe harbor program: the EU-U.S. Privacy Shield Framework.
Thereafter, Max Schrems filed a new complaint with the DPC, this time challenging Facebook Ireland's use of the SCCs as a transfer mechanism. The case made its way to the ECJ, via a reference for a preliminary ruling from the Irish High Court, in 2018. The Irish High Court's referral contained a wide-ranging list of questions focusing on the validity of SCCs in relation to transfers to the U.S. For the full background on Schrems 1.0 and 2.0, please see the WSGR Data Advisor article And Then There Were None: Or How Schrems 2.0 May Invalidate the Standard Contractual Clauses and the Privacy Shield.3
On July 9, 2019, oral arguments on the referred questions were presented to the ECJ by interested stakeholders, and the AG formulated his response over the intervening five months.
Key Points of the AG's Opinion
SCCs
The AG opined that the SCCs are valid since they are designed to ensure a continuous and adequate level of protection, when personal data is transferred by a company in the EU to another company in a third country. According to the AG, the existence of SCCs in itself compensates for any perceived data protection deficiencies that exist outside the EU.
The AG recognized that the legal context in a third country may make the SCCs' obligations difficult to implement. However, the fact that the SCCs are not binding on third countries' public authorities does not render them invalid. Rather, any foreign law that imposes obligations on the data importers that are at odds with the SCCs emphasizes the burden that controllers and, in the alternative, Supervisory Authorities have when reviewing data transfers. A case-by-case analysis is thus required for each data transfer to assess whether the laws where the data importer is located constitute an obstacle to the implementation of the SCCs. If they do, then the transfers should be prohibited or suspended. As a practical matter, it will be very difficult for data exporters to live up to the requirement to assess whether local law in the data importing country is reconcilable with the SCCs.
Privacy Shield
The AG also advised the ECJ not to address the Privacy Shield questions raised by the Irish High Court in this case, as the subject matter of the main proceedings is limited to the validity of the SCCs. However, if the ECJ does decide to examine the validity of the Privacy Shield Framework, the AG opined that this should be done in the abstract and should not affect the findings on the validity of the SCCs.
Nevertheless, the AG provided a detailed analysis,4 whereby he expressed certain concerns about the conformity of the Privacy Shield with the GDPR. In particular, the AG is doubtful as to whether the U.S. guarantees, in the context of the activities of its intelligence services,5 offer an adequate level of protection for the privacy of EU individuals.6 The AG also questioned whether the Privacy Shield offers an effective judicial remedy to EU individuals since the Privacy Shield Ombudsperson does not appear to provide a remedy before an independent body, nor to offer individuals a possibility to exercise their privacy rights or contest infringement of their rights by the U.S. intelligence services.
Implications for Companies
If the ECJ follows the AG's opinion regarding the validity of the SCCs, at first glance there will be little impact for most EU data transfers to third countries. However, companies will need to conduct a case-by-case assessment and ensure that data transfers to third countries conform with the GDPR. In addition, the AG's emphasis on the need for Supervisory Authorities to police data transfers under the SCCs may increase pressure on them to investigate whether transfers made under the clauses actually provides the protection they are supposed to.
If the ECJ follows the AG's recommendation and does not examine the validity of the Privacy Shield, then nothing will change for U.S. companies that rely on the Privacy Shield for their EU data transfers anytime soon. However, if the ECJ decides to address the substance of the Privacy Shield questions it will likely partly or wholly invalidate the framework, given the specific concerns raised by the AG. In this scenario, companies will need to take swift action to rely on SCCs or another adequate transfer mechanism until the EU and the U.S. formulate a Privacy Shield fix or a new data transfer regime.
Next Steps
The ECJ will likely issue a final decision on the issues within a few months, and follow the opinions voiced by the AG as it has done in roughly 70 percent of the cases so far.7 However, as shown in the past when the court invalidated the EU-U.S. Safe Harbor Framework, it can decide to broaden the scope of its review and look at the EU-U.S. Privacy Shield. In addition, in the past the court has sometimes gone against the views of the AG (e.g., in the Google Spain case involving the "right to be forgotten" decided in 2014), and there are no guarantees it may not do so here as well.
While the opinion is practical and nuanced with regard to use of the SSCs, it does put the burden on EU companies and Supervisory Authorities. In practice, companies and ultimately regulators will be responsible for assessing whether the SCCs conflict with the law of the data importer, and to potentially suspend or prohibit the transfer of personal data. Companies should now wait for the actual court decision, but should prepare themselves in case the court takes a different view on the SCCs and the Privacy Shield than the AG has done.
Wilson Sonsini will continue to monitor the news and update you once the ECJ decision is published.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.
Lore Leitner, Nikolaos Theodorakis, and Josephine Jay contributed to this alert.
1 Case C-311/18. Press release of the opinion available here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-12/cp190165en.pdf. Full text of the opinion available here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=221826&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=47018.
2 Case C0362/14, available here: http://curia.europa.eu/juris/liste.jsf?num=C-362/14.
3 Available at: https://www.wsgr.com/en/insights/and-then-there-were-none-or-how-schrems-20-may-invalidate-the-standard-contractual-clauses-and-the-privacy-shield.html.
4 Paras. 187-342 of the AG Opinion.
5 Section 702 of the FISA and EO 12333.
6 Within the meaning of Art 45(1) of the GDPR and Art. 7 and 8 of the Charter of Fundamental Rights of the European Union, and Art. 8 of the ECHR.
7 An Econometric Analysis of the Influence of the Advocate General on the Court of Justice of the European Union, (2016), Cambridge Journal of Comparative and International Law, Vol. 5, No. 1.