Standard Contractual Clauses adequate but questions remain around Privacy Shield
The Advocate General recently found that the Standard Contractual Clauses (SCCs) remain valid mechanisms for ensuring compliant EU to third country data transfers. A third country is any country outside of the European Economic Area (EEA). Although this determination is not binding, the European Court of Justice is likely to follow his determination, which is available in full here.
This has come off the back of the most recent round in a long running legal fight between Austrian lawyer Max Schrems, and Facebook, regarding the sharing of Schrem’s personal data with Facebook in the United States. The original case was brought by Schrems following the Snowden revelations about the interception and surveillance of internet and telecommunications systems by the NSA on a global scale in 2013.
What is also noteworthy is that even though the Advocate General was not asked to rule on the EU – US Privacy Shield Framework, he did express some concern regarding the adequacy of that framework. In particular, the Advocate General noted that the ombudsman established in the US to adjudicate complaints relating to the use of personal data that is transferred to the US does not satisfy the condition of judicial independence.
Why does this matter?
The extent to which global organisations can transfer personal data to third countries located outside the EU has important consequences for businesses that operate internationally.
The General Data Protection Regulation allows for international transfers of EU citizens’ personal data only in certain circumstances, including where there is an EU Commission adequacy decision allowing for the transfer, or where there are appropriate safeguards in place.
Many businesses rely on the SCC to ensure compliant transfers and an adverse ruling from the Advocate General would have had serious implications for large multinationals that routinely transfer data internationally outside the EEA.
However, the Advocate General’s comments in respect of the Privacy Shield Framework pave the way for future similar challenges, and it will be interesting to see if the UK government continues to recognise the Privacy Shield Framework following Brexit, particularly in light of the potential UK-US trade deal.
If you have any questions regarding the above, please contact our Commercial and Intellectual Property team or fill in the enquiry form.