Advocate General questions validity of privacy shield but advises Court not to rule on it.
The Advocate General has delivered his opinion in the keenly awaited case of Facebook Ireland and Schrems C311-18. The Opinion is not binding on the Court of Justice of the European Union but opinions are followed in around 80% of cases. The Court’s judgment is expected in the first quarter of 2020.
His opinion is that Decision 2010/97/EU which establishes standard contractual clauses is valid.
The GDPR provides that personal data may be transferred to a third country if that country ensures an adequate level of protection of the data. Even if the European Commission has not found that the level of protection ensured in the third country in question is adequate, the data controller may nevertheless proceed with the transfer if it is accompanied by appropriate safeguards. One option is a contract between the exporter and the importer of the data, using the standard clauses set out in Commission Decision 2010/87/EU. This established standard contractual clauses for the transfer of personal data to processors established in third countries. This case concerned the validity of that decision.
The case arose in the context of a case related to the original “safe harbor” decision in 2015 brought by Mr Schrems. In this second case, Mr Schrems claimed, first, that the clauses in an agreement between Facebook Ireland and Facebook Inc were not consistent with the standard contractual clauses set out in Decision 2010/87 and, secondly, that those standard contractual clauses could not in any event justify the transfer of the personal data relating to him to the US. Mr Schrems asked for the transfer of such data to be suspended. The Irish High Court referred the case to the Court of Justice asking if Decision 2010/87 was valid.
Firstly, the Advocate General considered that EU law applies to transfers of personal data to a third country where those transfers form part of a commercial activity, even though the transferred data might undergo processing, by the public authorities of that third country, for the purposes of national security.
Secondly, the Advocate General said that the provisions of the GDPR on transfers to third countries are aimed at ensuring the continuity of the high level of protection of personal data, whether the data is transferred on the basis of an adequacy decision or on guarantees provided by the exporter. In his view, the aim will be achieved in different ways according to the legal basis of the transfer. On the one hand, the purpose of an adequacy decision is to find that the third country concerned ensures, via the law and practices of that country, a level of protection of the fundamental rights of the persons whose data are transferred essentially equivalent to that provided by the GDPR. On the other hand, the appropriate safeguards afforded by the exporter, for example by contractual means, must themselves ensure that level of protection. In that respect, the standard contractual clauses adopted by the European Commission provide a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
Thirdly, the Advocate General examined the validity of Decision 2010/87 in the light of the Charter on Fundamental Human Rights of the European Union. He considered that the fact that Decision 2010/87 and the standard contractual clauses which it sets out are not binding on the authorities of the third country of destination, and therefore do not prevent them from imposing obligations that are contrary to the requirements of those clauses on the importer, does not in itself render that decision invalid. The compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour.
In his view, that is the case in so far as there is an obligation placed on the data controllers and, where the latter fail to act on the supervisory authorities, to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.
The Advocate General also notes that the referring court indirectly called into question the assessments made by the Commission relating to the ‘privacy shield’. The European Commission found that the US ensured an adequate level of protection of data transferred from the EU under the privacy shield, bearing in mind the safeguards surrounding the access to the transferred data by the United States intelligence authorities and the judicial protection available to the persons whose data are transferred.
According to the Advocate General, the resolution of the dispute in this case does not require the Court to rule on the validity of the ‘privacy shield’ decision, since it concerns only the validity of Decision 2010/87. Nevertheless, the Advocate General questioned the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.