Opinion on standard contractual clauses: more a compliance headache than a panacea

Europe

A recent non-binding Opinion of the Advocate General has signalled that the standard contractual clauses can continue to be used as a safeguard for transferring personal data outside the EEA. However, additional steps will need to be taken by exporters, importers and data protection authorities to ensure the clauses are complied with and that transfers are suspended when required.

The Advocate General issued an opinion on 19 December 2019 to the Court of Justice of the European Union (“CJEU”) stating his view that European Commission Decision 2010/87 (establishing the standard contractual clauses for controller to processor personal data transfers (“SCCs”), in light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (“Charter”)) remains valid: Press release and Full opinion of Advocate General Saugmandsgaard Øe 19 December 2019. At first glance, this seems like reason to breathe easy again, knowing that this widely-used mechanism for international data transfers can continue to be used. However, read further into the detail of this lengthy opinion and you will see that additional obligations are imposed on exporters and importers seeking to rely on SCCs (and also on data protection authorities (“DPAs”)), which may not be easy to comply with in practice.

Why is this important?

The SCCs are one of several mechanisms for international data transfers under the GDPR. They are favoured by organisations due to their flexibility compared to other mechanisms such as binding corporate rules or derogations (which may only apply is specific circumstances), and in some instances are the only option available. If the SCCs were found to be invalid, this would leave many organisations that need to transfer personal data outside the EEA, for instance to service providers or to other entities in their corporate group, in an untenable position – they could either stop such personal data transfers (and face business disruption, commercial losses or breach of contract claims from terminated suppliers) or risk being in breach of the GDPR (and face fines of up to the highest tier or stop transfer orders from the DPAs).

However, a key point of the Opinion is that, if it is not possible for personal data to be adequately protected in a non-EEA importer’s country even though SCCs are in place, then the data exporter must suspend those data transfers. If the exporter does not do so, then the relevant DPA can order the transfer to be suspended or stopped.

Why has this issue arisen?

This is the latest stage in an ongoing and complex legal wrangle between Austrian privacy rights campaigner Max Schrems and Facebook. The request for an opinion was submitted in proceedings brought by the Data Protection Commissioner, Ireland (‘DPC’) against Facebook Ireland Ltd and Mr Schrems in respect of a complaint by Mr Schrems to the DPC about the transfer of his personal data by Facebook Ireland to Facebook, Inc., its US parent company. Mr Schrems’ claims included that, in view of the U.S. mass surveillance programmes (such as PRISM), there is no remedy that would allow data subjects to rely on their rights to respect for private life and to protection of personal data. Therefore, Mr Schrems requested the DPC to suspend the transfer of his data (as provided for in Decision 2010/87).

The DPC decided that its ability to assess that complaint hinged on whether or not Decision 2010/87 was valid and requested that the High Court sought clarification from the CJEU on that point. Accordingly, the High Court referred the issue to the CJEU for a preliminary ruling.

What were the key findings in the Opinion?

The Advocate General proposes upfront that the Court of Justice “should reply that the analysis of the questions has disclosed nothing to affect the validity of Decision 2010/87”. His key findings were that:

  • EU law applies to transfers of personal data outside the EEA where those transfers form part of a commercial activity, even though the transferred data might undergo subsequent processing, by the public authorities of that third country, for the purposes of national security.
  • The provisions of the GDPR on extra-EEA transfers are aimed at ensuring personal data continues to be protected to a high standard, irrespective of the transfer mechanism used, and the way in which that aim is achieved differs according to the legal basis of the transfer.
  • The appropriate safeguards afforded by the exporter using the SCCs must themselves ensure a level of protection to individuals whose personal data is transferred equivalent to that provided by the GDPR, read in the light of the Charter. In that respect, the SCCs provide a general mechanism applicable to transfers irrespective of the non-EEA importer’s country and the level of protection guaranteed there.
  • The compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the SCCs are suspended or prohibited where those clauses are breached or compliance is impossible.
  • This appears to be the case as the SCCs require the importer to process the personal data only on behalf of the exporter and in compliance with its instructions and the SCCs. If the importer cannot comply with those clauses, it agrees to inform the exporter promptly, with the exporter then entitled to suspend the transfer and/or to terminate the contract.
  • Additionally, the importer must certify that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the exporter’s instructions and its contractual obligations. It must promptly notify the exporter of changes in that legislation that are likely to have a substantial adverse effect on its obligations under the SCCs, and again the exporter is entitled to suspend the transfer of data and/or terminate the contract. If the exporter decides to continue the transfer, the exporter must forward the notification received from the importer to the DPA.
  • To the extent that there is an obligation on a controller (and, where the controller fails to act, on the DPAs) to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the SCCs and those imposed by the law of the non-EEA importer’s country, the SCCs cannot be complied with. (In practice, this would likely mean that an alternative transfer mechanism would need to be relied on instead.)

What about transfers to the US?

Whilst the issue of the validity of the SCCs is the sole issue to be decided in the main proceedings before the High Court, the Court also raised concerns about the adequacy of the level of protection guaranteed by the U.S. in relation to the rights of individuals whose data is transferred there due to the interferences by the U.S. intelligence authorities. This has implications not just for the use of SCCs for transferring personal data to the US, but also for the validity of the EU-US Privacy Shield.

The Advocate General set out alternative reasons that have made him question the validity of the Commission’s decision regarding Privacy Shield, including in particular concerns about the lack of independence of the Ombudsperson mechanism. Therefore, this is definitely another space to watch.

What should organisations do next?

Organisations that export or import EEA personal data should keep a close eye on the impending CJEU ruling, which should hopefully shed more light on exactly what needs to be done to ensure that international data transfers on the basis of SCCs remain complaint. However, if the CJEU follows the Advocate General’s Opinion (which it usually does), this will likely mean that:

Data exporters will need to:

  • Implement an effective mechanism to ensure that the SCCs are complied with and that transfers are suspended when required under the SCCs. This will significantly increase the burden on data exporters and require additional steps to be taken such as:
    • making an initial assessment of the level of protection offered by local laws in the importer’s country and whether these conflict with the protections under the SCCs – including looking out for any stop-transfer orders by DPAs on the basis that local laws in the non-EEA importer’s country conflict with the SCCs;
    • regular monitoring of processors and other recipients of personal data outside the EEA to ensure that the controller’s instructions and the SCCs are being complied with; and
    • proactively asking processors and other recipients of personal data outside the EEA for updates on changes in local legislation.
  • Notify DPAs if they decide to continue a data transfer despite being notified by a data importer of changes in legislation likely to have a substantial adverse effect on its obligations under the SCCs.

Data importers will need to:

  • Certify that they have no reason to believe that the legislation applicable to them prevents them from fulfilling the exporter’s instructions and their contractual obligations (or disclose issues to the contrary).
  • Assist data exporters in making an initial assessment of the level of protection offered by local laws in the importer’s country and whether these conflict with the protections under the SCCs.
  • Agree to subject themselves to regular monitoring to ensure that the importer controller’s instructions and the SCCs are being complied with.
  • Provide updates to data exporters on changes in local legislation.

DPAs will need to:

  • Deal with notifications by data exporters that decide to continue data transfers despite being notified by a data importer of changes in legislation likely to have a substantial adverse effect on its obligations under the SCCs.
  • Impose “stop-transfer” orders if necessary where it considers that an international data transfer is not compliant with the GDPR.

All of this will likely require additional resourcing and increase costs for all involved, including prompting negotiations on whether data importers can pass down their increased costs of compliance to data exporters.