The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC).  SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years.

Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU) that challenges the validity of the European Commission’s decision that Standard Contractual Clauses for Transfers to Data Processors (SCCs) are sufficient to address cross-border data transfer restrictions. SCCs have been the bedrock of cross-border personal data transfers outside the European Union for many years, such that this case has broad commercial implications for companies that do business globally.  The a.g.’s opinion is a preliminary step in the process before the CJEU issues its final decision on the matter.  The a.g.’s opinion is not binding on the court, but generally is viewed as persuasive.

In the opinion today, the a.g. advises that the SCC should not be invalidated, but that reliance on the SCC requires companies to undertake certain additional measures to assure compliance. In particular, a data exporter (i.e., the controller that transmits the personal data outside the EU) needs to make their own assessment as to whether the data importer (typically a service provider in a third country) is able to comply materially with all SCC requirements. A data exporter cannot simply enter into SCCs and not assess for itself whether a specific importer will comply with them.  Notably, the a.g. advised that the court should not take this opportunity to rule on the validity of a related transfer mechanism, the EU-U.S. Privacy Shield, although the opinion suggests that a full court review of Privacy Shield may lead to concerns about transfers under that mechanism. 

The specifics of the ultimate decision by the CJEU may not be known for several weeks, but this is a signal that the outcome may make it more difficult to transfer personal data outside the EU.

Given the very wide use of SCCs in many companies’ global compliance plans, companies should prepare now to evaluate their existing data transfer agreements for their adequacy in protecting data subjects’ rights, bearing in mind that they are subject to scrutiny by national data protection regulators;  and, if they are not, to evaluate alternative grounds and approaches to addressing the cross border transfer issue.

For international companies this means that:

  • The SCC will remain available as a data transfer instrument, but present an incrementally greater risk as the associated transfers remain subject to scrutiny by (national) Supervisory Authorities and subject to complaints of (activist) data subjects.
  • Data exporters must confirm that the data importer is in fact complying with all its commitments under the SCCs.
  • National DPAs have the powers to suspend the transfers if exporters (controllers) do not meet their responsibilities in this respect and are being encouraged to use them.
  • This does not just concern the USA: it applies to all third countries for which SCC are used, including major industrial nations such as Brazil, India and even the UK, when the transition agreement on Brexit with the remaining EU members expires.  
  • In case of doubt, a new dilemma arises: should the exporter approach its DPA for guidance, or remain silent and accept the risk of liability and enforcement actions? To mitigate these risks, a number of options are available:
    • Assess and document the risks for the importer to become subject to requirements under local law that exceed the scope of the GDPR. A data protection impact assessment may be a helpful tool; in any event, the assessment needs to be made on a country-by-country and importer by importer basis.
    • Work on relationships with the (lead) DPA to keep abreast of their views on specific third countries and specific situations.
  • In case the SCC safeguards cannot be guaranteed in a specific situation, SCCs cannot be used.  Other choices can include Binding Corporate Rules (BCRs) for intercompany transfers, adequacy findings for countries, Privacy Shield (subject to the point above), derogations, and other approaches.

The opinion can be found here. For more background on the case, click here.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Wouter is a partner in the Firm's IP/IT & Commercial Practice Group in Amsterdam. He has significant experience in assisting national and international clients with respect to issues concerning ownership and protection of electronic data. Wouter has a particular interest in all internet-related issues on the subject of intellectual property rights.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Harry is a Senior Consultant in Baker McKenzie’s London office and handles all aspects of information technology and communications law. He acts for a broad base of information technology and communications products and service providers — assisting them in their contract negotiations and managing their disputes. He also practises in contentious intellectual property law.

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Andre a strategic compliance adviser at the data protection and privacy practice and has more than 20 years of industry experience. He managed and advised many projects across various industries, including financial services, manufacturing, healthcare, aviation, telecom, FMCG and retail.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author

Amy de La Lama has assisted a wide array of companies in addressing legal issues related to global privacy and data collection, data security, information technology and related restrictions on data collection and movement.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Write A Comment