The international transfer of personal data is part of daily business for many companies. They work with international service providers, have affiliates abroad or cooperate with foreign customers and suppliers. The General Data Protection Regulation (“GDPR”) provides a narrow scope for transferring personal data to non-EU countries. According to art. 44-49 GDPR, personal data may only be transferred if this is essential in the individual case for carrying out a contract, the data subject has given consent, the supervisory authorities have given their approval or there are suitable safeguards for the level of data protection in the recipient country.
So far, the European Commission has only recognized 13 countries with an adequate level of data protection (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States within the Privacy Shield framework). If this level or the other requirements above are not met, companies must use other methods to ensure an adequate level of protection. One option within company groups is the use of so-called Binding Corporate Rules but these are difficult to implement and do not cover transfers to companies outside the group. Otherwise, companies generally use the so-called EU standard contractual clauses. These are contractual clauses issued by the European Commission and have been considered by the European Commission and the supervisory authorities as an adequate level of data protection when used.
While this option is easy to use and accepted all over the world, it is at a tipping point. A case currently before the ECJ in which the first hearing took place on 9 July 2019 (case C-311/18, Facebook vs. Schrems) raises the question of whether the EU standard contractual clauses can actually ensure an adequate level of data protection.
The complaint filed by data protection activist Max Schrems focuses on whether Facebook can use the standard contractual clauses as a basis to transfer data of European users to the USA. Schrems already fought against the Privacy Shield’s predecessor Safe Harbor, and as a result the ECJ ruled Safe Harbor to be invalid in its verdict dated 6 October 2015 (case C-362/14).
The current case raises the same fundamental questions, specifically how can EU citizens be protected from State access to their personal data outside the EU. The ECJ is expected to apply a similar standard of review as in 2015 for Safe Harbor. It is therefore likely that the EU standard contractual clauses will also be declared invalid as contractual agreements between two companies in the private sector can never be protected from State access and as a result, the adequate level of data protection is called into question.
The ECJ gave no indication in the verbal hearing on 9 July 2019 as to which way it will rule. Schrems’s lawyers did not argue to invalidate the EU standard contractual clauses but wanted the supervisory authorities to consider more carefully each individual case of personal data transfer based on the EU standard contractual clauses.
The advocate general is expected to issue an opinion on the matter on 12 December 2019. This will give an initial indication on how the court will rule. A final ruling is not expected until next year.
Unlike the Safe Harbor case, the EU standard contractual clauses case does not just affect the transfer of personal data to the USA but rather to all countries outside the EU and the EEA that are not expressly recognized as a country with an adequate level of data protection. This means that even transfers to countries that are of great economic importance, such as China, India, Brazil, Russia, South Africa, Australia but also the UK in the event of a no-deal Brexit are at risk. Invalidating the EU standard contractual clauses would mean that they could not be used for transferring data at all, not just to the USA. This would also affect digital services, and the exchange of customer and supplier or employee data in the company group would also be brought into question.
Currently, the EU standard contractual clauses are still a legitimate way to meet the requirements of art. 44-49 GDPR. However, the relevant agreements on data transfer should already include scenarios about what is to happen in the event that the EU standard contractual clauses are declared invalid. There are also other options available for data transfer that have to be carefully examined in individual cases. Obtaining consent from data subjects is undoubtedly the least practical option as such consent is not always given and can be withdrawn at any time. It can also be reviewed in individual cases as to whether the transfer is actually necessary to carry out a contract with the data subject so that no further measures would be required. It is also important to consider whether it is necessary to transfer data at all or whether e.g. service providers in other EU Member States can be used.
Companies must closely monitor the progress of the case and prepare for the possible outcome.