The case, brought initially by Austrian privacy activist Max Schrems, addresses the validity of Standard Contractual Clauses (SCCs) which are used by a majority of companies to legitimize their personal data transfers from the EU/EEA to a third country. Upon first reading, the Opinion of the AG could mistakenly be read to indicate that such transfers are legitimate under any circumstance if SCCs are in place. In that regard, the Opinion sheds some light on the question of who is responsible for ensuring the legitimacy of third country transfers – a question that played a prominent role during the hearing before the CJEU last July.
The case at hand addresses a version of SCCs which are used by EU/EEA data controllers for transfers of personal data to third country processors. These SCCs, known as Decision 2010/87/EU, were drafted ten years ago by the European Commission and have been a common form of contractual safeguarding for many years. Schrems argued that the SCCs – when not enforced properly – do not offer adequate safeguards and that, consequently, personal data which originates from the EU is not always adequately protected in a third country. The AG, however, states in his Opinion that the SCCs are valid.
Approach of the AG
The AG highlights the difference between an adequacy decision and SCCs, both of which are deemed adequate safeguards for third country data transfers under the GDPR. Yet, as the AG remarks, they vary significantly due to the fact that the purpose of an adequacy decision is to find that a third country ensures a level of protection that is largely equivalent to that of the GDPR, whereas SCCs must ensure such a level of protection by contractual means. This difference is indeed important but should not affect the protection of personal data once they are shared with a third country. After all, both mechanisms are recognized as adequate safeguards under the GDPR.
Perhaps that is why the AG focusses to a lesser extent on the validity of the content of the SCCs themselves but rather shifts his focus to the practical implementation of such SCCs. This seems to indicate that, according to the AG, the validity of SCCs as a standard contract is not the main issue. Instead, the main issue is whether the obligations included in the SCCs are properly abided by – by the data controllers but more importantly for this case, also by authorities who may interfere on the basis of wide powers bestowed upon them through national legislation which applies in the respective third country destinations. Think of this in light of the Snowden revelations and increasing governmental supervisory powers throughout the world and the concerns quickly become apparent.
Is the mechanism as a whole valid?
In his Opinion, the AG dwells on this thought by reiterating the importance of supervisory authorities. It is the responsibility of supervisory authorities to ensure that safeguards which are used for third country transfers are indeed ‘adequate’. The obligations set out under the SCCs must be subject to sufficiently sound supervision. Without such supervision, breaches of clauses or situations under which the clauses would be impossible to honor could go largely unnoticed by authorities.
That is where the previous question of responsibility again arises. The AG hints at increased and active supervision by supervisory authorities. Such supervision must enforce the validity of SCCs as a mechanism for third country transfers as a whole. But of course such supervision is complex, could have severe economic and political consequences and often explores the limits of the application of EU law. The non-binding Opinion of the AG has brought us closer towards formulating an understanding of who should be responsible for ensuring SCCs are indeed an adequate safeguard for the protection of the data protection rights. Whether the CJEU will follow this line of thought is something which will hopefully be addressed in 2020.