• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Schrems 2.0: Standard Contractual Clauses Declared Valid by EU Advocate General

December 19, 2019 By Laura K. Song and Wim Nauwelaerts

 

The Advocate General’s Opinion of December 19, 2019 deemed valid the Standard Contractual Clauses (SCCs) adopted by the European Commission for the transfer of personal data from controllers to processors. Currently, many companies rely on SCCs as a mechanism for transferring personal data from the EU to non-EU countries in compliance with the GDPR. The opinion therefore confirms that companies relying on SCCs do not need to consider changing their practices.

Background
Max Schrems first filed a complaint against Facebook’s data transfer practices with the Irish data protection authority (Data Protection Commission or DPC) in 2013 which led to the invalidation of the U.S.-EU Safe Harbor framework by the European Court of Justice (ECJ), the highest court of the EU, in October 2015. As a result, many companies that previously relied on Safe Harbor for data transfers adopted SCCs to transfer data to processors outside of the EU since the replacement for Safe Harbor, Privacy Shield, was not operational until August 2016.

In the wake of the Court’s decision, Mr. Schrems filed a new complaint with the DPC focused on Facebook’s transfer of personal data from the EU to the US based on SCCs. In response, the DPC sought clarity through the courts not only on the validity of SCCs but also on Privacy Shield. The DPC filed a claim with the Irish High Court which subsequently referred the case to the ECJ along with 11 questions.  On July 9, 2019, the ECJ heard oral arguments in the case (Schrems 2.0).

Advocate General’s Opinion
On December 19, 2019, the Court’s Advocate General Henrik Saugmandsgaard Øe provided his opinion for Schrems 2.0. Although not legally binding, the opinion of the Advocate General is highly influential. Below are three key takeaways from the opinion:

  • The ECJ should focus its decision on the subject matter at issue to allow the Irish High Court to resolve the dispute in the main proceedings (i.e. address the validity of SCCs and ignore questions regarding Privacy Shield).
  • The safeguards and level of data protection provided in the country in which data is transferred is not relevant to the validity of SCCs. SCCs are a valid data transfer mechanism because they provide the appropriate safeguards for data transfers from the EU through the soundness of the safeguards provided by the clauses.
  • Where there is a conflict between the provisions of the SCCs and the law of the country where the data is being transferred to, the controller (data exporter) must suspend or prohibit affected data transfers where the provisions of the SCCs cannot be complied with. This is because any failure to implement the SCCs by the processor (data importer) means that the controller cannot warrant an adequate level of protection in accordance with the SCCs. Where a controller fails to suspect or prohibit transfers, the competent data protection authority must ensure that the transfers are suspended or prohibited. This should be determined on a case-by-case basis for each specific transfer by the controller.

What’s Next
Typically, the ECJ will issue a judgment three to six months after the Advocate General’s opinion which means the Court could make a determination by the first half of 2020. Then, the Irish High Court will need to proceed with the case in accordance with the Court’s decision. If the ECJ follows the opinion of the Advocate General, the DPC will ultimately be back in the same position as it was in 2016 where it will need to make a decision regarding Mr. Schrems’s complaint.

Filed Under: Data Protection, International, Privacy Tagged With: Cross-border, EU Data Protection, EU Privacy, European Court of Justice, European Union (EU), GDPR, International Data Transfers, Max Schrems decision

About Laura K. Song

Laura K. Song is an associate in the Brussels office and a member of the Technology & Privacy Group and the Privacy & Data Security Team. Laura’s privacy and data protection practice includes a focus on the General Data Protection Regulation, binding corporate rules, and data transfer advice, as well as HIPAA compliance.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy & Data Security Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.