The European Court’s Advocate General has upheld the validity of the EU standard/model clauses in his official Opinion, which can be found here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=221826&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3462665
What is the (third) Schrems case all about?
Mr. Maximillian Schrems asked Facebook Ireland to identify the legal bases for the transfer of personal data of Facebook users from the EU to the US. Facebook Ireland referred to a data transfer processing agreement between it and Facebook Inc., relying on the EU standard/model contractual clauses.
Mr. Schrems then brought a complaint before the Irish data protection regulator claiming that the clauses in the agreement in question were not consistent with the EU standard/model contractual clauses, and that the latter couldn’t in any event justify the transfer of the personal data relating to him to the US.
The Irish data protection regulator then brought proceedings before the Irish High Court which referred a number of questions to the European Court of Justice for a so-called preliminary ruling about EU standard/model contractual clauses; some questions about the EU-US Privacy Shield were also included.
What did the Advocate General say?
In sum, in a lengthy and detailed analysis, Advocate General Henrik Saugmandsgaard Øe proposed that the court should rule that the analysis of the questions hadn’t disclosed anything to affect the validity of EU standard/model contractual clauses.
Whilst the Advocate General made a number of very interesting points about EU standard/model contractual clauses, we only wish to draw your attention to the following two paragraphs of his Opinion:
- “125. […] the safeguards in the standard contractual clauses may be reduced, or indeed eliminated, when the law of the third country of destination imposes obligations that are contrary to the requirements of those clauses on the importer. Thus, the prevailing legal context in the third country of destination may, depending on the actual circumstances of the transfer, […] make the obligations set out in those clauses impossible to implement.
- 126. In those circumstances, […] the contractual mechanism set out in Article 46(2)(c) of the GDPR is based on responsibility being placed on the exporter and, in the alternative, the supervisory authorities. It is on a case-by-case basis, for each specific transfer, that the controller or, failing that, the supervisory authority will examine whether the law of the third country of destination constitutes an obstacle to the implementation of the standard clauses and, therefore, to an adequate protection of the transferred data, so that the transfers must be prohibited or suspended.”
If the court follows this, the practical consequence would mean that organisations will have to do more due diligence for data transfers to certain countries and draw their conclusions accordingly.
Finally, the Advocate General stated that the resolution of the dispute in the main Irish proceedings did not require the court to rule on the validity of the EU-US Privacy Shield decision. Nevertheless, the Advocate General set out a number of reasons questioning the validity of the EU-US Privacy Shield decision; by way of reminder there is also a pending case before the (European) General Court challenging the EU-US Privacy Shield decision.
EU standard/model contractual clauses appear to be safe, for now at least, but although the court often follows an Advocate General’s Opinion this isn’t always the case, so we’ll have to see what the court’s final word will be on this – watch this space!
For other articles that we have written about data protection issues please see here: https://www.corderycompliance.com/news/
For details about Cordery’s GDPR Navigator subscription service, which includes short films, straightforward guidance, checklists and regular conference calls to help you comply, please see here: www.bit.ly/gdprnav.
For details of Cordery Breach Navigator please see here: https://www.corderycompliance.com/solutions/breach-navigator/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|