On the 16th of July, the Court of Justice of the European Union (“CJEU”) will release its opinion in the ‘Schrems II’ case, which could have a significant impact on the use of standard contractual clauses and third party transfers of personal data.
This case is a long-running one. Initially, the Austrian-based complainant Schrems filed a complaint with the Irish data protection authority, arguing that the transfer of an EU citizen’s personal data to Facebook in the US, using the Safe Harbor framework, violated his rights. In this first case (Schrems I), the CJEU agreed and invalidated the Safe Harbor framework for transfers of personal data to the U.S. On the heels of this success, Schrems decided to challenge transfers of his personal date to the US on the basis of the standard contractual clauses (“SCC’s”), which was the other way that Facebook justified its data transfers.
Unless the EU gives the UK an Adequacy Decision before a hard Brexit (meaning that its framework is sufficiently appropriate to receive the personal data of EU citizens), then companies will need to use SCCs or Binding Corporate Rules to ensure transfers of data from the EU to the UK are legal. There have been concerns that the court would invalidated the use of the SCC’s after this case – but companies should take comfort that SCC’s will continue to be valid after the release of the Advocate General’s non-binding opinion. He stated that SCC’s are valid, and provide a good mechanism by which to transfer personal data, no matter the third country’s location. The CJEU is largely expected to follow the opinion of the AG.
In the wake of Schrems I, the U.S. created the Privacy Shield to enable transfers of personal data between the US and EU and UK businesses, which has also come under scrutiny in this case. The AG goes into detail about whether or not the Privacy Shield is an appropriate mechanism under which to transfer personal data under the data protection regulations of the EU. While the AG has ‘serious doubts’ about the Privacy Shield, including whether there are sufficient guarantees and safeguards which will prevent abuse of legitimate derogations from the GPDR for national security reasons, and the lack of effective remedies for EU citizens, for now, he believes the Privacy Shield is adequate.
Companies that rely on the Privacy Shield in the meantime may decide to enter into SCC’s (pending the Schrems II final decision) for a ‘belt and braces’ approach to transfers of personal data outside the EU. Further, exporters of data needs to ensure that the SCC’s can actually be complied with before the data is transferred. Businesses engaging in transatlantic data shifting should be vigilant and undertake appropriate due diligence of the companies placed in third countries to ensure that their processing is in full compliance with the data protection legislation.