Ireland

Advocate General delivers Opinion in Schrems II

IRIS 2020-2:1/9

Bengi Zeybek

Institute for Information Law (IViR), University of Amsterdam

On 19 December 2019, Advocate General Saugmandsgaard Øe (AG) delivered his opinion in the high-profile case Data Protection Commissioner v. Facebook Ireland Limited (Schrems II), on whether the use of standard contractual clauses can constitute a valid legal basis for transferring and processing personal data outside of the European Union. The AG opined that the Court of Justice of the European Union (CJEU) should consider standard contractual clauses as a valid mechanism for the transfer of personal data abroad.

Previously, in Schrems, the CJEU had declared the Commission’s ‘safe harbour’ decision, which had found that the United States offered ‘adequate’ protection for personal data’, as invalid (see IRIS 2015-10/2). Adequacy decisions constitute one of the legal basis for which personal data may be transferred to a third country under the General Data Protection Regulation (GDPR) as well as the Data Protection Directive, which it replaced (see IRIS 2018-6/7). Another legal basis for the transfer of personal data to third countries may take the form of a contract between the importer and the exporter of the personal data containing the standard protection clauses set out in Commission Decision 2010/87/EU.

Following Schrems, the Irish Data Protection Commissioner (‘DPC’) opened an investigation and Mr Schrems, the applicant in both proceedings, re-formulated his complaint with the Irish DPC. Asking the Irish DPC to suspend the transfer of data in application of standard contractual clauses, Mr Schrems had argued that the agreement between Facebook Ireland and Facebook, Inc. was not consistent with clauses set out in Decision 2010/87 and, secondly, that those standard contractual clauses did not justify the transfer of the personal data relating to him to the United States. The Irish High Court referred preliminary questions to the CJEU on whether the use of standard contractual clauses offered sufficient safeguards for the protection of the personal data of EU citizens (see IRIS 2017-10/22).

According to the AG, the sole issue in the proceedings was whether Decision 2010/87 was valid. The AG further clarified that the EU law applies to data transfers that are part of a commercial activity, notwithstanding that the transferred data might be processed for the purposes of national security by the public authorities of the third country.

The AG further made explicit that the purpose of the provisions of the GDPR on transfers of personal data to third countries is to ensure the continuity of a high level of protection of personal data. But in his view, the way in which this purpose may be realised differs according to the legal basis of the transfer. In that regard, for example, an adequacy decision aims to find that a third country ensures a level of protection of personal data and fundamental rights essentially equivalent to that provided in the GDPR, read in the light of the EU Charter of Fundamental Rights (‘the Charter’). However, where personal data are transferred abroad by contractual means, the terms of the contract must ensure the desired level of protection. Put differently, the standard contractual clauses adopted by the Commission function as a general mechanism to facilitate data transfers, independent of where the personal data are transferred to or the level of protection there.

Importantly, as regards the validity of Decision 2010/87 in the light of the Charter, the AG was of the opinion that the fact that Decision 2010/87 and the standard contractual clauses which it sets out are not binding on the authorities of the third country of destination ‘does not in itself render that decision invalid’. Instead, where personal data are transferred on the basis of standard contractual clauses as per Decision 2010/87, the compatibility of the Decision with the Charter depends on the presence of appropriate mechanisms to ensure the suspension or the prohibition of data transfers, where the exporter of the personal data fails to comply with the contractual clauses.

Crucially, the AG held that standard contractual clauses as legal mechanisms for data transfers of personal data impose ‘an obligation’ on the data controllers to comply with those clauses, and on the supervisory authorities to ‘suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.’  The AG concluded that his analysis disclosed nothing to affect the validity of Commission Decision 2010/87/EU. The AG’s Opinion is not binding on the CJEU, and the judgment of the Court will be given at a later date.