Scott McGeachy: Schrems II – Brexit and standard contractual clauses
In the case of Schrems II, the Advocate General of the Court of Justice of the European Union (CJEU) issued an opinion which upholds the validity of the European Commission’s standard contractual clauses for the transfer of personal data to countries outside the European Economic Area (EEA). Scott McGeachy explains the case and its implications.
The latest version of the standard contractual clauses was issued by the European Commission in 2010. These are template clauses which organisations can put in place in order to provide an adequate safeguard for the protection of personal data which is transferred outside the EEA.
In Schrems II, Max Schrems (an Austrian privacy campaigner) sought to challenge the validity of standard contractual clauses for the transfer of Facebook users’ personal data from Facebook Ireland to servers located in the USA.
The Advocate General has issued an opinion which states that: “Standard contractual clauses for the transfer of personal data to processors established in third countries is valid”.
However, the Advocate General noted that data controllers and supervisory authorities will be obliged to suspend or prohibit a data transfer in certain circumstances, e.g. if it is no longer possible to comply with the standard contractual clauses due to a conflict with the obligations imposed by the laws of a third country.
It should be borne in mind that the Advocate General’s opinion is not legally binding. Although it is not guaranteed, it is likely that the judges of the CJEU will follow his opinion – in the majority of cases, the CJEU follows the detailed opinion of the Advocate General.
Consequences of Schrems II
If the CJEU confirms the validity of standard contractual clauses, this will be good news for organisations which currently use the standard contractual clauses in order to transfer personal data to third countries outside the EEA.
If the standard contractual clauses were to be declared invalid by the CJEU, this would create serious difficulties for many organisations which rely on standard contractual clauses for the purpose of transferring data to countries which are outside the EEA and do not have the benefit of an “adequacy decision” issued by the European Commission (i.e. non-adequate countries).
In the absence of standard contractual clauses, it would be difficult for organisations to meet the requirements of the GDPR in relation to the international transfer of personal data to non-adequate countries.
Brexit and standard contractual clauses
In light of the opinion in Schrems II, it is important to consider the use of standard contractual clauses and how this relates to Brexit.
When the UK leaves the EU on 31st January 2020, the transfer of personal data from the EU to the UK will be permitted as at present during the transition period until 31st December 2020.
However, after the transition period expires on 31st December 2020, it will only be possible to transfer personal data from the EU to the UK if appropriate safeguards are put in place in relation to the data transfer.
It is possible that the European Commission may grant an adequacy decision in favour of the UK during the transition period. However, there is a clear risk that an adequacy decision will not be granted before 31st December 2020.
In particular, objections to an adequacy decision may be raised in relation to concerns about the UK’s national security procedures, including concerns about mass surveillance and data sharing with US authorities.
In addition, it is possible that a decision on adequacy will be a lengthy process, spanning several years. The EU’s new European Data Protection Supervisor, Wojciech Wiewiórowski, recently stated that the UK would be at the “end of the queue” for any adequacy decision, and that it would be hard to achieve an adequacy decision within the transition period.
If an adequacy decision is not granted in favour of the UK, many organisations will be required to put in place standard contractual clauses in order to continue to transfer personal data from the EU to the UK after 31st December 2020.
Planning ahead – putting in place standard contractual clauses
If your organisation has any data flows from the EU to the UK, it will be important to ensure that you put in place standard contractual clauses in good time ahead of the Brexit transition deadline (i.e. 31st December 2020). Failure to do so could lead to regulatory enforcement action by European supervisory authorities.
Scott McGeachy is a senior solicitor at Burness Paull