Are standard contractual clauses still valid?
Yes.
The Court of Justice of the European Union has been asked a number of questions about transfers of personal data to the U.S., where the transfers are made on the basis of EU Commission–approved SCCs.
The hearing took place July 9, but a decision is unlikely before the end of 2019 or early 2020, and SCCs remain valid until that date.
What about the EU-U.S. Privacy Shield?
Yes, this is still valid at the moment.
The case is not directly about the validity of the Privacy Shield. However, the CJEU is asked a number of questions about whether transfers of personal data to the U.S. will breach the EU Charter of Fundamental Rights and how adequacy should be assessed, on the basis of certain factual findings of U.S. law made by the referring Irish court. The court is also asked what impact the Privacy Shield has on transfers made to the U.S. in reliance on the SCCs.
All this means that, although the case is not "about" the Privacy Shield, the judgment may have repercussions for the EU-U.S. Privacy Shield.
Hang on, I'd thought the Privacy Shield case had been postponed …
That’s the other Privacy Shield case. French organization La Quadrature du Net had brought proceedings challenging the Privacy Shield before the General Court of the EU (still part of the CJEU, but a different court). This case was due to have been heard July 1 and 2; however, the court postponed the case pending a resolution in the so-called "Schrems II" case.
Say that again? What’s happening to Privacy Shield?
There are two data transfer cases before the CJEU. The case specifically about Privacy Shield has been parked. The current case (Schrems II) is about data transfers to the U.S. using SCCs – but a lot of the questions being posed are very relevant to Privacy Shield, so it could affect it.
Could the case invalidate both SCCs and Privacy Shield?
That’s a difficult question.
The Irish court has referred a long list of questions to the CJEU, and the answers to some of the questions affect the answers to the others – so there are a lot of possible outcomes.
In very broad terms, the court could:
- Uphold everything and give "positive" answers to the questions posed about U.S. law and transfers to the U.S.
- Find that transfers to the U.S. are problematic in some situations but conclude that this does not stop organizations using SCCs; instead, the action would shift to data protection authorities to suspend problematic data flows.
- Find that some or all transfers to the U.S. are problematic and invalidate the SCCs.
The court isn’t asked to give a direct decision on the validity of the Privacy Shield (although the court could conceivably still do so), but any decision along the lines of option 2 or 3 above would be likely to adversely affect the Privacy Shield in any event.
So what are the alternatives?
Limited.
Binding corporate rules can be relied on by corporate groups — but these require substantial time to put into place and obtain necessary approvals from data protection authorities; they cannot be implemented quickly in the event other transfer methods ceased to be available.
There are also other derogations, from the prohibition on transfers of personal data outside the EU (such as consent or contractual necessity), but consent is revocable and must be freely given (so not a good solution, save where transfers are optional) and contractual necessity and other derogations are narrow and rarely suitable for repeat, large-scale, data transfers. The newest GDPR-approved transfer methods — "approved codes of conduct" and "certification under an approved certification mechanism" — cannot currently be used because, at the moment, there are no approved codes of conduct or certification mechanisms.
Isn’t someone working to try and fix this?
The European Commission is very committed to data transfer contracts as an adequacy method. They are also referred to specifically in the GDPR itself. European Commissioner for Justice, Consumers and Gender Equality Věra Jourová has recently announced that the European Commission is working on modernizing SCCs. The resulting updated clauses could, potentially, be used to resolve any deficiencies found by the CJEU – although the timing for the new SCCs is not clear.
So what can my organization do now?
Understand what EU originating data your organization is transferring, to whom, where, and on what basis. This won’t solve the problem, but, if the judgment does invalidate data transfer methods, it will mean that you are able to assess the impact more quickly and, when alternatives to become available, you will be able to move faster to put them in place.
Knowing what data is processed, where, by whom and on what basis is also required by the GDPR — this information is needed to populate records of processing activities and to inform privacy notices. So you may have this information already — if there are gaps, then filling these gaps will help your GDPR compliance; it won't be nugatory work.
Photo by Kyle Glenn on Unsplash