A week before Christmas, EU Advocate General (AG) Henrik Saugmandsgaard Øe issued his opinion in the Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems case (Case C-311/18) finding that the EU standard contractual clauses (SCC) are valid (see link). Although the opinion is not binding on the European Court of Justice, the Opinion is influential.
Max Schrems is the Austrian privacy attorney whose challenge to the Safe Harbor data transfer regime between the EU and the USA led to its invalidation (and the creation of the Privacy Shield data transfer regime). In what was called Schrems II, Mr. Schrems challenged Facebook's use of the EU approved SCC (see link to the SCC) to transfer personal data to the US arguing that they did not offer an adequate level of protection. The SCC are one of the approved methods to transfer personal data out of the EU. If they had been invalidated, many businesses would no longer have an approved basis to transfer personal data out of the EU.
The AG found that it was not necessary to determine if the laws and practices of the country to which personal data was transferred offered an adequate level of protection. Rather, the validity of the SCCs rests on "whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honor" (Opinion at para. 127). Thus, the onus is on the data controller (and supervisory authorities) to suspend or prohibit transfers when the SCC cannot be complied with (Opinion at para. 128).
The AG also noted in his Opinion that there were issues with the Privacy Shield data transfer regime. As there are over 5,000 organizations that have registered for the Privacy Shield, these issues should be addressed during the annual EU/US Privacy Shield review.
Image by Jan Vašek from Pixabay.