On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.
At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S.
The opinion contains mixed signals for U.S. organizations doing business in the EU. Although the opinion would allow companies to continue to rely on the SCCs or Privacy Shield to enable data transfers from the EU to the U.S., it suggests increased obligations for data exporters relying on the SCCs that may be difficult for them to meet.
The opinion further calls into question the validity of the Privacy Shield, but does not reach a final determination on that question. The AG also warns organizations that specific data flows based on one of these mechanisms could still be challenged and suspended by Supervisory Authorities (SAs) in the EU. It remains to be seen if the CJEU will follow the opinion (which is not binding).
Background
Schrems II came before the CJEU through a referral by the Irish High Court. The case concerns the use of SCCs by Facebook Ireland to transfer EU personal data to the U.S. It has a long history, starting as the Schrems I case, which led to the invalidation of the EU-US Safe Harbor data transfer mechanism.
- In Schrems I, Austrian privacy activist Max Schrems complained to the Irish Data Protection Commissioner (DPC) about the transfer of his personal data to the U.S. by Facebook Ireland, and the alleged onward transfer of his personal data to U.S. intelligence agencies such as the National Security Agency (NSA). Read our WSGR Data Advisor article on Schrems I for background.
- After the CJEU invalidated Safe Harbor in Schrems I, Mr. Schrems filed a new complaint with the Irish DPC challenging Facebook Ireland’s use of SCCs, arguing that this data transfer mechanism does not sufficiently protect EU personal data in the U.S.
- The Irish DPC referred the case, known as Schrems II, to the Irish High Court, which further referred it to the CJEU in 2018. The Irish High Court requested the CJEU to answer a list of questions regarding the legitimacy of EU-U.S. data transfers based on SCCs and the EU-U.S. Privacy Shield mechanism.
- On December 19, 2019, the AG of the CJEU issued his opinion in Schrems II.
Data Transfer Tools at Stake
The SCCs are standard contracts issued by the EU Commission. They can be entered into by a data exporter in the EU, and a data importer located outside of the EU. The clauses are intended to ensure a contractual protection for personal data that is transferred from the exporter to the importer. There are three sets of SCCs available, depending on whether the data recipient will be a controller or a processor.
The EU-U.S. Privacy Shield mechanism replaces the former EU-U.S. Safe Harbor mechanism. In 2016, the EU Commission issued a decision in which it found the Privacy Shield provided adequate protection for EU personal data (i.e., a level or protection essentially equivalent to that guaranteed within the EU). Approximately 5,000 companies have joined the Privacy Shield so far.
The Opinion
We summarize below the AG’s reasoning regarding the validity of the SCCs and the Privacy Shield.
- SCCs. The AG finds no reason to declare the SCCs invalid, since their provisions (if they are complied with) provide for adequate protection.[2] In particular, the SCCs provide for a suspension of unsafe data flows:
- by the data exporter. The SCCs require suspending data transfers in case adequate protection cannot be assured in the country of the data importer. In particular, 1) where the data exporter determines that local laws in the destination country prevent compliance with the SCCs, it may not rely on SCCs; and 2) where such transfer has already taken place on the basis of SCCs, the exporter must suspend the transfer, as soon as it is informed by the data importer that it can no longer comply with the SCCs.
- by the competent SA. Where the data exporter fails to act, the competent SA in the EU must “adopt corrective measures,” such as suspending the transfer and prohibiting further transfers.[3]
- Privacy Shield. The AG does not see a need to examine the validity of the Privacy Shield, since the Privacy Shield is not relevant for the data transfers at stake.[4]
- The level of protection provided by the Privacy Shield is not relevant for the case. The AG considers that SAs are not bound by the EU Commission’s approval of the Privacy Shield when evaluating data transfers to the U.S. on the basis of the SCCs. Therefore, the protection provided by the Privacy Shield is not relevant to assess the transfers in this case.
- Privacy Shield nevertheless raises concerns. The AG expresses concerns about the conformity of the Privacy Shield with the GDPR and other EU laws. The AG doubts whether U.S. laws provide sufficient safeguards for surveillance by U.S. intelligence services, and whether the Privacy Shield’s Ombudsperson mechanisms provide sufficient remedies for EU citizens whose personal data is accessed by such services.
The AG’s opinion is not legally binding on the Court, but is often an omen of the final ruling. The CJEU has not yet indicated a timing for its decision, but it is expected for the first half of 2020.
Implications of the Opinion
If the CJEU would follow the AG, U.S. organizations would be able to continue relying on SCCs and the Privacy Shield for their data transfers from the EU to the U.S. However, this would also entail certain risks:
- Increased scrutiny for data transfers based on SCCs. If the CJEU follows the opinion, organizations will likely experience more inquiries and investigations by SAs relating to data transfers to countries with broad surveillance laws. Entering into SCCs will not necessarily legitimize these transfers. Such increased scrutiny could be triggered by an increase in complaints from data subjects and civil rights organizations, potentially claiming compensation for damages. The AG notes that SAs must examine such complaints “with all due diligence.”
- High responsibility for data exporters. The opinion raises concerns regarding the obligations and level of responsibility placed on controllers that rely on SCCs and the Privacy Shield. The SCCs place a duty of care on data exporters, and the SAs who have oversight over the activities of data exporters, to examine on a case-by-case basis whether the laws of the importing country create an obstacle to the adequate protection of the transferred data. The AG states that organizations should take into account “all of the circumstances characterising each transfer” to assess whether there is any conflict between the level of protection required by the SCCs and the destination country’s local laws. This will likely be burdensome for companies, and it raises the question whether EU legislators really intended to place such high level of responsibility with companies when they drafted the GDPR:
- A very difficult exercise for companies. The adequacy assessment set out in the opinion may prove to be a very difficult exercise in practice. For instance, a typical situation in which the exporter’s adequacy assessment should, according to the AG, lead to a suspension of the data flows, would be where local authorities in the importing country could obtain access to the transferred data without providing for appropriate remedies to the EU data subjects. However, the data exporter may not even be aware of such data access requests, because they are typically confidential (e.g., subject to a gag order). Moreover, examining the theoretical possibility of such data access by local authorities (or the existence of any other local laws that could raise a conflict with the SCCs), prior to entering into the SCCs, could be extremely burdensome. For example, for an intra-company data transfer agreement between entities in many different countries, the EU exporter(s) would need to assess all relevant laws of each non-EU country and assess whether any of them include any obligations that could potentially prevent compliance with the SCCs.
- The European Commission is better fit to assess the adequacy of a non-EU country’s legal system. The AG specifies that the adequacy assessment should include all circumstances of the specific transfer, such as the nature of the data, the mechanisms employed by the exporter and/or the importer to ensure its security, the nature and purpose of processing by the public authorities of the importing country which the data will undergo, the details of such processing, and the limitations and safeguards ensured by the importing country. The question is whether individual organizations are fit to make such assessments of third countries’ laws, and whether it is appropriate to assign that difficult responsibility to them. Organizations that closely followed the GDPR’s legislative process may recall that the goal of the GDPR was to “remove administrative requirements in order to reduce costs and minimise the administrative burden” for companies.[5] Moreover, the AG states that the exporter’s assessment should be similar to that of the European Commission when it determines whether or not to issue an adequacy decision (i.e., finding that a non-EU country offers an adequate level of data protection). However, the SCCs are precisely intended to permit transfers to countries for which such adequacy decisions have not been issued.
- Risk of fragmentation. The AG admits that, with regard to the assessment of data importers’ local laws, SAs of different EU countries may come to different conclusions, which creates a risk of fragmentation in the EU. The same risk exists for assessments made by different EU data exporters.
- Privacy Shield may still be invalidated. The AG does not see a ground for the CJEU to issue a formal decision on the validity of Privacy Shield. However, there is currently another case pending before the CJEU, which seeks annulment of the Privacy Shield (Case T-738/16 – La Quadrature du Net). The CJEU could follow (some of the) concerns raised by the AG with regard to the Privacy Shield in the Opinion to invalidate Privacy Shield in that other case (e.g., the existence of laws permitting interference by government agencies and the lack of an effective remedy). If Privacy Shield is invalidated, companies will need to take swift action to rely on another adequate transfer mechanism until the EU and the U.S. formulate a Privacy Shield fix or provide for a new data transfer regime.
Conclusion
If the opinion is followed by the Court, companies may continue their cross-border transfers under the existing framework. However, companies would not be able to use SCCs as an “off-the-shelf” solution. Companies would be responsible for assessing whether the laws of the destination country conflict with the SCCs, and they would need to suspend or prohibit the transfer of personal data if they find that the data may not be adequately protected in the destination country.
If companies fail to do so, SAs have a duty to step in and take corrective measures. In practice, the full implications of a judgment that follows the AG will only become visible with the first suspension of a data flow by a SA. This will likely have a domino effect causing other companies to also suspend their data flows to the non-EU country concerned. If different SAs come to different conclusions regarding the same non-EU country, this will cause immense legal uncertainty for businesses.
Moreover, the opinion raises concerns with regard to the level of protection provided by the Privacy Shield, which the CJEU could use to invalidate that data transfer mechanism. The CJEU is expected to issue its judgment in the following months, but a specific date has not been made public yet.
[1] Opinion of Advocate General Saugmandsgaard Oe in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C‑311/18), December 19, 2019.
[2] See paragraph 343 of the opinion.
[3] See paragraph 158 of the opinion.
[4] See paragraph 193 of the opinion.
[5] https://ec.europa.eu/info/sites/info/files/data-protection-factsheet-sme-obligations_en.pdf.