International data transfers - temporary sigh of relief over model clauses?

The background – Schrems attacks model clauses after getting Safe Harbor scrapped

We’ve written previously about the background to this case, which has potentially significant implications for international data transfers.

The case was initiated in 2015 by Max Schrems (a data privacy activist who previously succeeded in getting the previous “Safe Harbor” transfer mechanism invalidated). He asked the Irish Data Protection Commissioner (“DPC”) to stop Facebook transferring personal data from its Irish entity to its US entity. Facebook used model clauses (also known as Standard Contractual Clauses or “SCCs”) for the data transfer. Schrems argues that the US approach to personal data undermines the EU’s high data protection standards, and that personal data should not be exported to the US irrespective of the transfer mechanism.

The Irish DPC raised concerns about the usage of SCCs in general, and the case ended up before the European Court of Justice (“ECJ”).

The Advocate General opinion – model clauses are valid, but controllers and supervisory authorities must assess adequacy of protection

In broad terms the Advocate General (“AG”) has concluded that SCCs are a valid transfer mechanism. However, the reasoning of the AG also puts significant responsibility on controllers and supervisory authorities to assess whether the country receiving the data provides adequate protection.

The AG said that SCCs could only provide the necessary “appropriate safeguards” for personal data under the GDPR if there “is an obligation — placed on the controllers … and, where the latter fail to act, on the supervisory authorities … — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.” The AG went on to confirm that, in his opinion, controllers and supervisory authorities do indeed have those obligations, and so SCCs are valid.

The AG is suggesting that first a data controller and then, if necessary, the local data protection authority, should assess on a case by case basis if SCCs do provide adequate protection.  We will have to see if the ECJ agrees and, if so, whether it adds more detail to what appears to be a complex proposal. What threshold do data controllers have to use? What happens if different data protection authorities take different approaches? Arguably, the AG’s opinion is contradictory in concluding that SCCs are fine to use on the one hand, but on the other hand controllers (and data protection authorities) have the burden of assessing the legal framework of the country in which the receiving party is based.

The AG refrained from drawing any conclusions on the general validity of Privacy Shield (an aspect brought into the case by Facebook), but he did express doubts especially around the scope of intelligence services powers in the US. Another case is also pending before the ECJ (brought by La Quadrature du Net) specifically on the validity of Privacy Shield. 

Practical impact – controllers can still use model clauses

It is now for the ECJ to decide the case and it is not bound by the opinion of the AG. The ECJ’s judgement is expected within the next 3-6 months.

Data controllers should carry on as usual – SCCs are still a valid transfer mechanism, at least for now, and there is currently a lack of better alternatives (albeit Privacy Shield also remains an option but, as mentioned, is equally under scrutiny). However, the position should be kept under very close review.

Data Protection Commissioner v Facebook Ireland Limited