Max Schrems, an Austrian privacy activist, has brought yet another data protection case to the Court of Justice of the European Union (CJEU). The outcome of this case will be decisive for everyone who transfers data to non-EU countries. The decision in the case has the potential to force a wide range of businesses to make huge changes in their data management.
The current case, which is commonly referred to as Schrems II, is the sequel case to the Schrems I case, which resulted in the invalidation of the Safe Harbour Framework for the data transfer between the European Union (EU) and the USA. Schrems II may cause the CJEU to consider the validity of both the European Commission Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield.
The Advocate General’s opinion, issued today, has been keenly awaited as a first indication of the direction the CJEU decision may take. The SCCs are likely to remain as a valid safeguard for international data transfers. The Privacy Shield mechanism however faces a very uncertain future.
1. What has happened so far?
Max Schrems is a privacy activist who is concerned about the cooperation between US companies and US intelligence agencies, particularly about Facebook sharing personal data of EU residents with the US National Security Agency. The fundamental argument before the CJEU has been the alleged power of the US to carry out mass surveillance of EU residents’ personal data without justification. These concerns led to the Schrems I case and the invalidation of the Safe Harbour Framework in 2015. This framework was a mechanism that legitimised data flows from the EU to the US.
The decision was based, in particular, on the fact that the US legislation did not limit interference with an individual’s rights to what is strictly necessary, but allowed the bulk collection of personal data transferred to the US. The legislation did not contain any objective criteria for determining limits to such access and the subsequent use of this personal data by public authorities. After the invalidation of the Safe Harbour Framework, the Irish Data Protection Authority requested Max Schrems to amend his complaint leading him and his team to challenge the EU Standard Contractual Clauses, which is an alternative mechanism to legitimise data flows to non-EU countries.
Max Schrems used a similar argumentation for his second challenge as in the Schrems I case. The Irish Data Protection Authority then brought the case to the Irish High Court, which in turn referred 11 questions to the CJEU for a preliminary ruling. This preliminary ruling is now referred to as the Schrems II case.
2. What happened during the CJEU hearing of 9 July 2019?
The hearing in the Schrems II case took place at the CJEU in Luxembourg, where the main parties presented their arguments. The main parties in the proceeding are the Irish Data Protection Commissioner, Facebook Ireland Ltd. and Max Schrems. Moreover, many stakeholders such as the European Data Protection Board and several Member States have intervened in the proceedings.
During the hearing of 9 July 2019, the SCCs were widely discussed and it was stated by many parties – including Max Schrems’ legal team – that the SCCs should not be invalidated but that the SCCs should be (better) enforced. It was argued that without enforcement, the SCCs were not suited to provide adequate safeguards.
They also discussed the EU-US Privacy Shield, where there seemed to be a stronger tendency among the parties to push for invalidation of the mechanism.
3. What is the Advocate Generals opinion?
Until the judgement is rendered, the Advocate General’s opinion may serve as an indication on whether or not the EU-US Privacy Shield and/ or the SCCs will be declared invalid.
In the opinion of the Advocate General of 19 December 2019 the SCCs are valid. The analysis of the questions submitted to the CJEU has disclosed nothing which may affect the validity of the SCCs. He further explained that the CJEU is not required to rule on the validity of the Privacy Shield mechanism, since this is not part of the dispute at hand. Nevertheless, the Advocate General set out the reasons that lead him to question the validity of the Privacy Shield and the mechanism contained therein.
4. What will happen next? And what does this mean for my business?
The CJEU will have to render a judgement at the beginning of 2020, which may disrupt the status quo on how to deal with data transfers. The CJEU also has a case before it specifically concerning the Privacy Shield.
For now, the existing mechanisms for data transfers remain valid and the Advocate General recommends that this stays the same for the SCCs. Nevertheless, the Attorney General’s opinion indicates that the lawfulness of the Privacy Shield mechanism may be rejected in the near future, which will likely lead to a heavier reliance on the SCCs.
In the case that the CJEU invalidates the SCCs and the Privacy Shield framework, businesses would have to rely on alternative mechanisms for their data transfers to third countries.
The EU General Data Protection Regulation (GDPR) provides for three alternative safeguards, namely:
- An adequacy decision by the EU stating that a country has an adequate level of data protection. Switzerland, for example, currently benefits from an adequacy decision;
- Binding Corporate Rules; and
- A narrow list of derogations where data transfers are permitted to countries where there is no adequacy decision in place (for example, in order to protect life and health).
Currently, there is no readily available alternative to the SCCs and the EU-US Privacy Shield. For your business, this means that you will have to take immediate action following a decision that these mechanisms are invalid.
We recommend that you check that you have:
- analysed your data flows;
- considered alternatives to the SCCs and/ or the EU-US Privacy Shield;
- been in touch with your service providers to ask what contingency plans they have in place; and
- briefed your management and other key stakeholders about the situation.
Nevertheless, keep in mind that for now nothing has been decided and that we will only know for sure once the CJEU renders its judgement.
We will closely follow the case to keep you updated on the newest developments. If you have any questions, our data protection team is happy to assist.