The standard contractual clauses introduced by the European Commission in 2010 governing the transfer of personal data to non-Member States are valid. This was the Opinion of Advocate General Henrik Saugmandsgaard Øe of the Court of Justice of the European Union (CJEU) on Thursday 19 December in his much-awaited Opinion in the ‘Schrems II’ case (C-311/18).
The case dates back to 2013, when famous Austrian activist Max Schrems filed a complaint against Facebook with Irish regulators to stop Facebook data transfers between the EU and the US, in order to protect Europeans’ personal data from mass surveillance across the Atlantic. In 2015, it was a landmark case leading to the CJEU's decision to invalidate ‘Safe Harbor’, the forerunner of the ‘Privacy Shield’ scheme.
After years of legal proceedings, in 2018, the Irish High Court of Justice referred eleven questions to the CJEU for a preliminary ruling, particularly with regard to the data transfer mechanism in the standard contractual clauses used by Facebook, as well as the Irish regulator's ability to suspend or prohibit the transfer of personal data from users of Facebook Ireland to the United States (see EUROPE 11875/14).
In his Opinion, the Advocate General proposes that the Court of Justice should reply that the analysis of the questions has not revealed any element of such a kind as to affect the validity of Commission Decision 2010/87/EU on standard contractual clauses, contrary to the view of the Irish protection authority.
Conversely, Max Schrems did not seek the invalidity of all standard contractual clauses, but believed that the DPC - Data Protection Commissioner, Ireland - could suspend transfers of individual data from Facebook.
In a press release, he said he was “happy” with the Opinion of the Advocate-General and considered this to be a “total blow” for the Irish protection authority and Facebook, as well as a “very important step for users' privacy”.
The Advocate General further assessed the validity of Decision 2010/87 in the light of the EU Charter of Fundamental Rights and concluded that there are sufficiently robust mechanisms to suspend transfers in the event of a breach of the clauses.
The conclusions also recognise that there is an obligation - on data controllers and, in case of inaction by data controllers, on supervisory authorities - to suspend or prohibit a transfer where, due to a conflict between the obligations stemming from the standard clauses and those imposed by the law of the non-Member State of destination, these clauses cannot be complied with.
Doubts about validity of ‘ Privacy Shield’
Among the eleven questions some referred to a preliminary ruling concerning the transatlantic data protection scheme, ‘Privacy Shield’. In his Opinion, the Advocate General states that the resolution of the dispute in the main proceedings does not require the Court to rule on the validity of the scheme.
However, in the alternative observations, he sets out several reasons which lead him to question the validity of the ‘Privacy Shield’ with regard to the rights to respect for private life and the protection of personal data, as well as the right to an effective remedy.
He also considers that the Permanent Ombudsman does not provide a means of redress before an independent body offering persons whose data is transferred an opportunity to exercise their right of access to the data or to challenge possible breaches of the applicable rules by the intelligence services.
“After the ‘Safe Harbor’ judgment, the European Commission deliberately passed an invalid decision again (...) It will be very interesting to see if the Court will take this issue on board in the final decision or wait for another case to reach the Court”, said Max Schrems.
Although not binding, the Opinion of the Advocate-General is generally followed by the CJEU. For Max Schrems, however, there is a good chance that the final judgment, to be delivered in 2020, will be different from the conclusions, given the nature and number of questions asked. The Austrian activist predicts that the CJEU ruling may offer stricter privacy protection than the conclusions.
See conclusions: https://bit.ly/2Sb3Nx1 (Original version in French by Marion Fontana)