Validity of the Standard Contractual Clauses confirmed, uncertainty about the EU-US Privacy Shield

On December 19th 2019, the Advocate General issued his opinion in the high-profile case Schrems 2.0. The Advocate General’s opinion as such is non-binding, but is nevertheless trendsetting for the Court of Justice’s final decision. This is why his opinion is of great importance to privacy professionals.

1. International Data Transfers

Currently, there are several transfer mechanisms to organize international data transfers in compliance with the General Data Protection Regulation (GDPR). The Schrems 2.0 case focusses on two of these mechanisms which are of great importance for companies relying on international data transfers, being (1) the Standard Contractual Clauses (as issued by the European Commission) and (2) the EU-US Privacy Shield. Because these two mechanisms are widely used by businesses involved in international data transfers, organizations should follow-up how this case will further evolve.

2. Validity of the SCCs confirmed

The Advocate General’s opinion confirms the validity of the SCCs, giving organizations relying on such mechanism for international data transfers sufficient peace of mind (as for now). Taking into account the AG’s opinion, vendor assessments will gain importance as data exporters are expected to investigate on a case-by-case basis whether the relevant third country implements sufficient safeguards to ensure security of personal data. When performing such assessment, third country national applicable law should be taken into account. This means data exporters will have to assess whether the data importer implements sufficient warranties, and simply signing the SCCs will not discharge the data exporter from all responsibility. According to the Advocate General, also the Supervisory Authorities have a responsibility on this level.

3. Uncertainty for the EU-US Privacy Shield

However the Advocate General’s main recommendation in respect of the validity of the EU-US Privacy Shield was for the CJEU not to further address this topic, he raises certain concerns about its working. Organizations relying on the EU-US Privacy Shield should learn from what happened in 2015 with Safe Harbour, and might have to take precautionary measures if deemed necessary.

4. What’s the next step?

The Court of Justice will further deliberate on the AG’s opinion and take a final decision, which can be expected Q1 or Q2 2020 the latest. However the AG’s opinion is most of the time adhered to by the Court, it is still non-binding, which makes further follow-up a necessity.

5. Three main (preliminary) conclusions

1. Organizations relying on international data transfers should further follow-up the final decision of Court of Justice in the Schrems 2.0 case as the outcome will have significant impact.

2. The SCCs can currently be considered as a valid transfer mechanism for international data transfers (however following the AG’s opinion data exporters are expected to investigate the specific security guaranteed in the country of destination).

3. International data transfers based only upon the EU-US Privacy Shield should be evaluated, and it could be advisable to take precautionary measures as installing alternative transfer mechanisms as basis for international data transfers.

Nathan Schryvers | Legal Counsel in ICT & Data Protection

Case reference: case C-311/18 Data Protection Commissioner vs. Facebook Ireland Limited, Maximillian Schrems (click here)

CJEU Press Release: click here

Opinion of the Advocate General: click here (full version)

Date: 28/12/2019