On Thursday, Court of Justice of the European Union Advocate General Henrik Saugmandsgaard Øe released his opinion in the so-called "Schrems II" case, reaffirming the sufficiency of standard contractual clauses, but calling into question U.S. protections for personal data in the national security context.

While companies around the world will likely breathe a momentary sigh of relief that the CJEU seems ready to preserve the mechanism on which the vast majority rely to transfer data globally, the opinion perpetuates the uncertainty that has plagued data transfers for at least a decade. That is because the opinion suggests that companies and data protection authorities should assess the sufficiency of foreign countries’ national security protections on a case-by-case basis.

While companies around the world will likely breathe a momentary sigh of relief that the CJEU seems ready to preserve the mechanism on which the vast majority rely to transfer data globally, the opinion perpetuates the uncertainty that has plagued data transfers for at least a decade.

The opinion states, “(There) is an obligation — placed on the controllers … and, where the latter fail to act, on the supervisory authorities … — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.”

That initial onus of such an assessment could fall to the Irish Data Protection Commission, which referred this case to the CJEU through the Irish High Court.

The DPC issued a statement on the opinion, which addresses this issue, in part, highlighting the risk of EU fragmentation that such a case-by-case analysis could create. It writes:

[quote]“At this point, procedural complexities also come into view. Specifically, who should intervene when, in the context of an individual transfer, the level of protection demanded by EU law cannot be maintained? Here, whilst acknowledging its imperfections, and the practical difficulties it presents, and notwithstanding the risk of fragmentation amongst supervisory authorities within the member states, the (advocate general) concludes that the approach settled upon by the EU in the context of the SCCs strikes an appropriate balance between pragmatism and principle. That approach is one in which responsibility for ensuring the protection of the data protection rights of EU citizens rests with controllers in the first instance and, in the view of the (advocate general), with national supervisory authorities where a controller fails to discharge its obligations.”[/quote]

According to IAPP research, approximately 88% of companies transferring data out of the EU rely on SCCs, while 60% use Privacy Shield. If the full court follows the direction of the advocate general, it would preserve the European Commission’s adequacy determination for Privacy Shield, while still calling the sufficiency of its protections in the national security sphere into question. That may lead Privacy Shield participants to consider a belt-and-suspenders approach in which they sign model contracts, as well.

That may lead Privacy Shield participants to consider a belt-and-suspenders approach in which they sign model contracts, as well.

With regard to Privacy Shield, the advocate general writes, “I conclude from the foregoing that there is no need to … examine the validity of the (Privacy Shield) decision.” At the same time, he shares his view on the sufficiency of the decision, noting, “the establishment of the ombudsperson does not to my mind provide a remedy before an independent body offering the persons whose data are transferred a possibility of relying on their right of access to the data or of contesting any infringements of the applicable rules by the intelligence services.”

In discussing Privacy Shield, the opinion suggests that the appropriate comparator for assessing the adequacy of U.S. national security protections might be EU member state laws and practices subject to the jurisprudence of the European Court of Human Rights. This would be a different standard than comparing U.S. national security protections to EU law, which generally does not govern EU member state practices in the national security sphere.

Further assessment of these issues is possible in the final decision or in another case pending before the EU General Court, a case brought by La Quadrature du Net, which challenges Privacy Shield directly. Regardless of when these issues are assessed, they will necessitate near-term diplomatic discussions between EU and U.S. authorities.

Alex Greenstein, Privacy Shield director at the U.S. Department of Commerce, shared his thoughts on the case and such discussions. “We are in close communication with the European Commission and EU member states regarding the importance of data flows to the (trans-Atlantic) economic relationship,” he said. “The United States has been actively participating in the 'Schrems II' case to explain the U.S. legal system, including restrictions and safeguards in U.S. law relating to government access to data for national security purposes. We are carefully reviewing the advocate general's opinion and will continue to closely monitor the 'Schrems II' case as it proceeds in the EU courts.”

Greenstein’s comment is a reminder that this opinion is nonbinding advisory only.

The CJEU is expected to issue a final decision in the coming months. While there is no set time frame for such a decision, the court issued its final decision in the first Schrems case only 13 days after the advocate general’s opinion was released. If the full court follows the direction of the advocate general in this case, a final decision could be issued quickly. If it charts a different path, the decision could take longer. Either way, a decision is likely in the first quarter of 2020.

Photo by Bill Oxford on Unsplash