In the case of Schrems II, the Advocate General of the Court of Justice of the European Union (CJEU) has issued an opinion which upholds the validity of the European Commission’s Standard Contractual Clauses for the transfer of personal data to countries outside the European Economic Area (EEA).
The latest version of the Standard Contractual Clauses was issued by the European Commission in 2010. These are template clauses which organisations can put in place in order to provide an adequate safeguard for the protection of personal data which is transferred outside the EEA.
In Schrems II, Max Schrems (an Austrian privacy campaigner) is seeking to challenge the validity of Standard Contractual Clauses for the transfer of Facebook users’ personal data from Facebook Ireland to servers located in the USA.
The Advocate General has now issued an opinion which states that: “Standard contractual clauses for the transfer of personal data to processors established in third countries is valid”.
However, the Advocate General noted that data controllers and supervisory authorities will be obliged to suspend or prohibit a data transfer in certain circumstances, e.g. if it is no longer possible to comply with the Standard Contractual Clauses due to a conflict with the obligations imposed by the laws of a third country.
It should be borne in mind that the Advocate General’s opinion is not legally binding. Although it is not guaranteed, it is likely that the judges of the CJEU will follow his opinion – in the majority of cases, the CJEU follows the detailed opinion of the Advocate General.
Consequences of Schrems II
If the CJEU confirms the validity of Standard Contractual Clauses, this will be good news for organisations which currently use the Standard Contractual Clauses in order to transfer personal data to third countries outside the EEA.
If the Standard Contractual Clauses were to be declared invalid by the CJEU, this would create serious difficulties for many organisations which rely on Standard Contractual Clauses for the purpose of transferring data to countries which are outside the EEA and do not have the benefit of an “adequacy decision” issued by the European Commission (i.e. non-adequate countries).
In the absence of Standard Contractual Clauses, it would be difficult for organisations to meet the requirements of the GDPR in relation to the international transfer of personal data to non-adequate countries.
Brexit and Standard Contractual Clauses
In light of the opinion in Schrems II, it is important to consider the use of Standard Contractual Clauses and how this relates to Brexit.
When the UK leaves the EU on 31st January 2020, the transfer of personal data from the EU to the UK will be permitted as at present during the transition period until 31st December 2020.
However, after the transition period expires on 31st December 2020, it will only be possible to transfer personal data from the EU to the UK if appropriate safeguards are put in place in relation to the data transfer.
It is possible that the European Commission may grant an adequacy decision in favour of the UK during the transition period. However, there is a clear risk that an adequacy decision will not be granted before 31st December 2020.
In particular, objections to an adequacy decision may be raised in relation to concerns about the UK’s national security procedures, including concerns about mass surveillance and data sharing with US authorities.
In addition, it is possible that a decision on adequacy will be a lengthy process, spanning several years. The EU’s new European Data Protection Supervisor, Wojciech Wiewiórowski, recently stated that the UK would be at the “end of the queue” for any adequacy decision, and that it would be hard to achieve an adequacy decision within the transition period.
If an adequacy decision is not granted in favour of the UK, many organisations will be required to put in place Standard Contractual Clauses in order to continue to transfer personal data from the EU to the UK after 31st December 2020.
Planning ahead – putting in place Standard Contractual Clauses
If your organisation has any data flows from the EU to the UK, it will be important to ensure that you put in place Standard Contractual Clauses in good time ahead of the Brexit transition deadline (i.e. 31st December 2020). Failure to do so could lead to regulatory enforcement action by European supervisory authorities.
As a firm, we have data privacy / GDPR specialists with extensive experience of advising on, and putting in place, Standard Contractual Clauses for international data transfers (as well as other means of lawful transfer). We can help to ensure that data transfers from the EU to the UK remain lawful, even if an adequacy decision is not granted in favour of the UK in time.
Please contact David Goodbrand at Burness Paull and we would be happy to help.
Related News, Insights & Events
Risk horizon scan: 2025
January is the optimal time for businesses to review risk registers against management plans and goals for the next 12 months.
Cyber security – looking back on 2024 and what businesses can expect in 2025
2024 was another year in which UK businesses battled to combat cyber security threats, which continue to impact organisations of all sizes across all sectors.
Risk in commercial shipping – The Supreme Court clarifies the scope of Hague Visby Rules for claims for misdelivery of cargo
A Supreme Court decision has shed light on the scope of protection for carriers under a key international convention, highlighting the need for thorough risk assessment in the contracting process.