International Data Transfers: Life in Standard Clauses Yet

Just in time for Christmas, Advocate General Saugmandsgaard Øe has handed down his Opinion in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd & Schrems (EU:C:2019:1145). As was noted in our post following the oral hearing (here), the reference concerns the compatibility of the European Commission’s standard contract clauses decision (or at least one of them) with Charter rights, Directive 95/46/EC, the GDPR and the CJEU’s case law (particularly Schrems 1: see here).

I am acting for the United Kingdom in the case, so I won’t provide any commentary on the Opinion, which of course the CJEU may or may not follow. But the headline points – which are helpfully summarised in the Court’s press release here – are as follows:

Most importantly, the AG does not consider the standard contract clauses decision to be invalid. Given the criticality of SCCs to international data transfers – including after Brexit – this is of huge practical significance.

But, the AG does emphasise that SCCs only work properly, and provide the necessary level of protection to data subjects, if controllers ensure that the contractual mechanisms and guarantees they contain are in fact working in practice (and not, for example, being overridden by the law of the third State on a routine basis) and, if they are not, cease transfers until they are. In addition, the AG places some emphasis on the role of supervisory authorities to step in and prohibit transfers if controllers are failing to act. In other words, if there is a fault, it lies not with the framework of SCCs but with controllers and regulators.

The Opinion also recommends that the CJEU not address whether the EU-US Privacy Shield, successor to the Safe Harbor scheme struck down in Schrems 1, is invalid on the basis that it is not necessary to do so in respect of the particular reference, and the matter is before the General Court (stayed pending this case). But, the AG also makes fairly clear that if he were to express a view on the Privacy Shield, it would not be a favourable one, setting detailed reasons for his concerns.

It is not yet known when the CJEU will hand down its judgment, although it is apparent that it will not follow almost immediately as it did in Schrems 1. 2020 has surprises left in store for us yet.

Christopher Knight