The opinion of the advocate general on the Schrems II case might lead to uncertainties on data transfers when a clear privacy law framework is, on the contrary, necessary for the digital economy.
The Schrems II case on the validity of the Standard Contractual Clauses for data transfers
There has been a great deal of relief and appreciation from the international community after the publication of the opinion of the Advocate General of the European Court of Justice, Henrik Saugmandsgaard Øe, on the second “episode” of the dispute between Max Schrems and Facebook on data transfers outside the European Union.
Privacy lawyers remember Max Schrems well for having caused us long sleepless nights following the invalidation by the European Court of Justice of the “Safe Harbor” program for the transfer of personal data to the United States, which obliged American companies to promptly adopt the so-called “standard contractual clauses” (SCCs) approved by the European Commission to regulate this transfer.
Schrems has however now attacked the validity of the standard contractual clauses, maintaining that the protections provided by them can be reduced or eliminated if the law of the country to which the personal data is transferred includes obligations that are contrary to the provisions of the SCCs.
How would personal data transfers be regulated without SCCs?
The outcome of this dispute is significant. If standard contractual clauses were to be invalidated, the transfer of personal data to countries that are not considered by the European Commission to provide adequate protection for personal data would be almost completely blocked.
The sole alternatives that would remain would be the “Privacy Shield” for transfers only in the United States, which, however, could be challenged based on the same arguments used for the SCCs, and the so-called binding corporate rules for intra-group transfers which, however, have quite long approval times.
For this reason, there was a considerable appreciation of the Advocate General’s view on the case now labeled Schrems II according to whom the SCCs should not be invalidated. If the European Court of Justice follows the same interpretation, it is still unlikely that we would be facing the last episode of the saga on this issue, though.
The need for an ad hoc assessment of the data protection compliance of each data transfer
The advocate general, Henrik Saugmandsgaard Øe, did consider the standard contractual clauses in line with the GDPR or, in general, with European legislation on the processing of personal data. But he believes that a case-by-case assessment is still necessary with each transfer of personal data on the existence of adequate protections concerning the data transferred. This issue is, therefore, not even a question on the compatibility of the foreign legislation with European legislation on the processing of personal data but an assessment of each data transfer.
If in the context of that assessment, the data controller, or the competent data protection authority, concludes that there is no such adequate protection, the data transfer must be suspended or prohibited.
My view on the uncertainties the advocate general’s approach on data transfers
As stressed by the Irish data protection authority, the approach recommended by the Advocate General would entail a risk of inconsistency in the position taken by different European privacy authorities, which is only reduced by the presence of the ‘one-stop shop‘ mechanism provided by the GDPR. Likewise, the suspension or blocking of the transfer of personal data would not affect already transferred data for which the sole available remedy would be an indemnification for suffered damages.
These issues were not considered sufficient by the Advocate General, who, by his admission, tried to adopt a pragmatic approach in his opinion. Such pragmatism could, however, open the door to further inconsistencies within the European Union on the rules relating to the processing of personal data. Indeed, less than two years after the effective date of the GDPR, we are in a context where the objective of ensuring greater consistency in the European data protection law framework has been frustrated by rather different approaches of national legislators and privacy authorities.
The hope is that the European Court of Justice will not only confirm the validity of the standard contractual clauses but at the same time will also give detailed indications of the cases in which they cannot be used to avoid a paralysis of the global market which is increasingly based on the transfer of personal data.
On the topic above, you may find interesting the article “How Brexit impacts your European privacy strategy“.