Advocate General Øe: Personal data transfers under standard contractual clauses are valid
Personal data transfers from the European Union to third countries under the standard contractual clauses established by the European Commission are valid, according to an Advocate General of the European Court of Justice.
Advocate General Henrik Saugmandsgaard Øe gave his view on issues raised in a long-running dispute between Austrian privacy activist Max Schrems and Facebook Ireland.
The data of Facebook users residing in the EU, such as Mr Schrems, are transferred, in full or in part, from Facebook Ireland, the Irish subsidiary of Facebook Inc., to servers located in the United States, where they are processed.
Mr Schrems lodged a complaint with the Irish Data Protection Commission (DPC) in 2013 on the basis that Edward Snowden’s revelations about US surveillance activities showed deficiencies in the protection of data transferred there.
The case led to the European Court of Justice’s ruling that the “safe harbour” scheme for personal data transfers from the EU to the US was invalid.
The DPC is now considering a reformulated complaint from Mr Schrems which depends on the validity of Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data from the EU to the US.
The High Court agreed to a request from the DPC to refer questions about that decision to the European court.
In yesterday’s Opinion, Advocate General Øe proposes that the Court of Justice should reply that the analysis of the questions has disclosed nothing to affect the validity of Decision 2010/87.
The Advocate General observes, as a preliminary point, that the sole issue in the main proceedings before the High Court is whether Decision 2010/87 — whereby the Commission established the standard contractual clauses relied on in support of the transfers to which Mr Schrems’ complaint relates — is valid.
The Advocate General considers, in the first place, that EU law applies to transfers of personal data to a third country where those transfers form part of a commercial activity, even though the transferred data might undergo processing, by the public authorities of that third country, for the purposes of national security.
In the second place, the Advocate General finds that the provisions of the GDPR on transfers to third countries are aimed at ensuring the continuity of the high level of protection of personal data, whether the data are transferred on the basis of an adequacy decision or on guarantees provided by the exporter. In his view, the way in which that aim is achieved differs according to the legal basis of the transfer.
On the one hand, the purpose of an adequacy decision is to find that the third country concerned ensures, as a result of the law and practices of that country, a level of protection of the fundamental rights of the persons whose data are transferred essentially equivalent to that provided by the GDPR, read in the light of the Charter.
On the other hand, the appropriate safeguards afforded by the exporter, inter alia by contractual means, must themselves ensure that level of protection.
In that respect, the standard contractual clauses adopted by the Commission provide a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
In the third place, the Advocate General examines the validity of Decision 2010/87 in the light of the Charter. He considers that the fact that that decision and the standard contractual clauses which it sets out are not binding on the authorities of the third country of destination and therefore do not prevent them from imposing obligations that are contrary to the requirements of those clauses on the importer does not in itself render that decision invalid.
The compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour.
In his view, that is the case in so far as there is an obligation — placed on the data controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.
The Advocate General also notes that the referring court indirectly calls into question the assessments made by the Commission in the decision of 12 July 2016, known as the ‘privacy shield’ decision.
In that decision, the Commission found that the US ensured an adequate level of protection of data transferred from the EU under the system established by that decision, having regard to, inter alia, the safeguards surrounding the access to the transferred data by the US intelligence authorities and the judicial protection available to the persons whose data are transferred.
According to the Advocate General, the resolution of the dispute in the main proceedings does not require the Court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87. Nevertheless, the Advocate General sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.