What does new Schrems II case mean for businesses?
CJEU’s Advocate General Henrik Saugmandsgaardøe publishes his opinion in the so-called ‘Schrems II’ case.
New Year, new regulation concerns? Two weeks before the end of 2019, Court of Justice of the European Union’s (CJEU) Advocate General delivered his opinion in the case known as ‘Schrems II’, concerning the validity of the Standard Contractual Clauses (SCCs).
Article 46 GDPR refers SCCs as a valid safeguard that businesses can incorporate to contracts in order to make personal data transfers to third countries. SCCs contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.
Let’s recap first.
What is ‘Schrems II’ case about?
‘Schrems II’ is a sequel to the complaint made in 2013 by Max Schrems, in connection with Facebook and transfers of personal data to the U.S. The complaint was brought to the Irish DPA and was referred to the CJEU, who declared Safe Harbour invalid.
As a consequence, businesses could no longer rely on Safe Harbour for international data transfers and started to base them on SCCs instead. In 2016, the EU Commission replaced Safe Harbour with ‘Privacy Shield’ in light of the ‘Schrems I’ case.
In ‘Schrems II’, Max Schrems issued a new complaint to the Irish DPA, with a similar approach to SCCs as the one taken with Safe Harbour. Advocate General has now issued their opinion.
What is the Advocate General opinion in Schrems II ?
CJEU’s Advocate General has reaffirmed the sufficiency of SCCs. However, he has suggested that businesses and data protection authorities (DPAs) should assess the sufficiency of foreign countries’ national security protections on a case-by-case basis.
The opinion states that: “a supervisory authority must examine with all due diligence the complaint lodged by a person whose data are alleged to be transferred to a third country in breach of the standard contractual clauses applicable to the transfer” and “where appropriate, it must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means.”
Why does the Advocate General opinion in Schrems II not surprise?
The above suggests that transferring personal data to third countries will require more efforts than just adding SCCs to the agreement with the importer. Businesses will need to ensure that SCCs are being complied with in practice. In my view though, this burden on the controllers is not something new and can be derived from the controllers’ general responsibility to demonstrate compliance with the GDPR principles, namely: lawfulness, fairness, transparency, data minimisation, purpose limitation, accuracy, storage limitation, integrity and confidentiality.
These principles apply to any international transfers of personal data, regardless of the transfer safeguards used. Whereas the Irish DPA highlights that this could result in fragmentation amongst supervisory authorities within the Member States, it might be unavoidable when it comes to practical application of GDPR absent common opinions by the European Data Protection Board (EDPB) or case law.
Whereas the CJEU is not bound by the opinion, Advocate General’s views are typically followed by the Court in the majority of cases. The CJEU is expected to issue a final decision in the coming months.