Thursday’s important advisory opinion from the European Court of Justice (ECJ), on whether data transfers between the European Union and the United States are adequately protected when done using a legal template called standard contractual clauses (SCCs), will have surprised many who expected a simple yes or no.
Elegant and practical, the non-binding opinion offered by the court’s advocate general – an adviser chosen from among the court’s justices, whose guiding view is usually followed in final opinions – neither declares such transfers entirely acceptable, nor rejects them as invalid.
Instead, advocate general Saugmandsgaard Øe straddles both options in a clean decision that presents the question in simple contractual terms: can the company that controls and sends the data ensure that the data-protection terms of the contract will be honoured in the destination country?
He advises that while contracts are in themselves valid as a tool – upholding a 2010 Court decision that stated they may be used by businesses – it is up to the companies using them, and state data-protection authorities, to determine whether the country to which data is sent protects data to EU standards.
Two options
This conclusion will worry companies such as Facebook, whose data-transfer practices are the centre of the original Irish case behind the ECJ's examination.
Companies currently have two options for transferring the personal data of those inside the EU, where it has very specific protections under the General Data Protection Regulation, to countries outside of the EU. To the US, they may use the US/EU joint data-transfer agreement called the Privacy Shield, or they may use SCCs. Many larger companies opt for their own bespoke SCCs.
The ECJ case arose from a complaint against Facebook made by Austrian lawyer and privacy activist Maximilian Schrems to the Irish Data Protection Commission, questioning whether his data is protected to EU standard when sent to the US by Facebook, which uses SCCs. In the case referral, the ECJ was also asked to consider whether the Privacy Shield offers adequate protection.
Schrems made his complaint in the wake of disclosures by whistleblower Edward Snowden, which indicated that many technology companies secretly shared data with the US National Security Agency (NSA), which operates behind an opaque wall of US legislation.
“This opinion, if followed by the court, would place an obligation on data-protection authorities to assess individual countries and their legal protections for EU citizens’ data. The contracts are valid, but only where the protections they promise can be assured under the laws of the places the data is sent, whether that is the US, UK after Brexit or anywhere else,” says Simon McGarr, solicitor with data consultancy Data Compliance Europe.
“In effect, the court has affirmed that the concept of standard contract clauses is valid, but that its practical application is subject to the facts of each transfer.”
Large burden
The opinion places a large burden on the Data Protection Commission office here, which must determine if data protection in other individual countries meets EU standards. And it creates uncertainty for businesses such as Facebook because it now makes them responsible for ensuring data is protected abroad.
Critically, this seems impossible in the case of the US, where companies must comply with secret requests from the NSA, and the UK, especially after Brexit, as UK surveillance agency GCHQ also has sweeping powers to access data.
On the other hand, the ruling offers significant power to data-protection authorities, because they can more easily pursue even the largest and most evasive of companies, requiring them to prove their own use of SCCs will fully protect EU data, while not revoking the general use of SCCs by others.
And while the advocate general declines to offer a full opinion on the Privacy Shield, he will have rattled companies by concluding that the ECJ may wish to review a previous opinion that found the Privacy Shield adequate for protecting data sent to the US.
His opinion “gives indications of his reasons to doubt the Privacy Shield decision on the basis of the circumstances of US protections for private life and offering EU citizens an effective remedy in the event they believe they have been breached,” notes McGarr.
Companies on either side of the Atlantic will find little comfort in this preliminary opinion.