International data transfers and standard contract clauses: good news from Europe
The CJEU has now given its decision in the Schrems II case.
In December 2019, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) issued his Opinion on the case known as “Schrems II” (Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems). Even though the AG’s Opinion is not binding and the case has yet to be decided by the CJEU, it offers an interesting analysis of the future of international data transfers, a topic becoming more and more relevant since the UK left the EU at the end of last month.
Why it’s important
Under current EU data protection law, organisations (data exporters) are allowed to transfer personal data outside the EEA if they have entered into a set of Standard Contractual Clauses (the “SCCs”) (being a standard document which has been adopted by the European Commission, also known as “Model Clauses”) with the receiving organisation outside the EEA (the data importer). One of the questions raised in Schrems II is whether the SCCs fail to give sufficient protection and enforceable rights for individuals regarding transfers of data outside of the EEA, and if so, whether they should be invalidated altogether. If the SCCs are invalidated, this would seriously impact international data transfers, as the alternatives for transferring data outside of the EEA are often impractical, and those organisations already relying on the SCCs would need to change the legal basis for their transfers.
From a Brexit perspective, once the transition period ends on 31st December 2020 and GDPR no longer directly applies in the UK, it is very likely that UK organisations receiving personal data from European organisations would need to implement SCCs to ensure that the export of data to the UK is compliant with the GDPR. The SCCs being invalidated would seriously impact post-Brexit transfers of personal data from Europe.
So what’s the good news?
The AG’s Opinion in this respect is a positive sign, as it doesn’t suggest invalidating the SCCs. However, the AG does also mention obligations on data exporters to assess whether the recipients of their data (the data importers) can actually comply with the SCCs, and if they become aware that the data importer cannot comply, to terminate the arrangement. This raises some uncomfortable questions about how much investigation, monitoring and due diligence an organisation is expected to enter into when it exports data outside of the EEA. The AG suggests this would extend to “all of the circumstances characterising each transfer” and so would not be an easy task. At present, the SCCs are seen by most as a simple solution, involving a little paperwork and not much else. If the SCCs came with detailed due diligence requirements, they would be considerably less attractive as a prospect for international transfers.
What to do next
The CJEU’s decision itself may provide some more clarity on what exactly is expected of data exporters in this situation, but in the meantime, it may be worth considering what circumstances you use the SCCs in, and whether they are actually being complied with.