Out-Law / Your Daily Need-To-Know

Data transfers opinion welcome but burdens could increase for business

Out-Law News | 19 Dec 2019 | 2:58 pm | 5 min. read

Businesses will broadly welcome a new legal opinion that an important tool for transferring personal data outside the EU is valid, but the opinion placed an emphasis on checks businesses should be prepared to carry out to ensure data transfers made using that tool comply with EU data protection laws, an expert has said.

Andreas Carney of Pinsent Masons, the law firm behind Out-Law, was commenting after advocate general Henrik Saugmandsgaard Øe to the Court of Justice of the EU (CJEU) expressed the view that model clauses, or standard contract clauses (SCCs) as they are also known, are valid under EU law.

The advocate general's opinion is non-binding, but Carney said that if the CJEU follows it, greater emphasis would be placed on data exporters to check for contradictions between the protections afforded by SCCs and the obligations importers might be subject to in the jurisdictions in which data is being transferred.

He also warned that the opinion raised fresh doubts over the EU-US Privacy Shield, which is another framework thousands of US companies rely on for transferring personal data from the EU to the US in a way which complies with EU data protection law.

Carney said: "Organisations across the EU and globally may issue a collective sigh of relief that the advocate general believes that the main mechanism relied upon for underpinning the flow of personal data out of the EU – standard contract clauses (SCCs) – can continue to be relied upon. However, the advocate general is recommending that organisations need to be aware of local laws in other jurisdictions to determine whether they contradict the protections offered by the clauses, and act to prohibit, suspend or terminate data transfers in cases where that is the case."

"The advocate general has cast doubt on the validity of the EU-US Privacy Shield which may cause uncertainty for US businesses, as many US-based businesses rely on the Privacy Shield to comply with EU data protection law when transferring personal data from the EU to the US," he said.

The case before the CJEU stems from Ireland, where the High Court has asked the EU court to answer questions which go to the heart of whether SCCs are a valid tool for facilitating the transfer of personal data outside of the European Economic Area (EEA) to so-called 'third' countries.

SCCs have been endorsed by the European Commission for use in cross-border contracts as a tool to ensure businesses transferring personal data outside of the EEA do so in compliance with EU data protection laws. Those laws require businesses to ensure that the protections in place for personal data in 'third' countries are essentially equivalent to the protections applied to the data within the EU.

The Commission's endorsement of the use of model clauses as a mechanism for demonstrating compliance with EU rules on data transfers has led to their use becoming widespread among the international business community. However, the case raised before the Irish courts has questioned whether the Commission's SCC decision is valid, with specific concerns raised about how data transferred to the US and whether the decision offers sufficient protection against the processing of that data by US law enforcement and intelligence agencies and whether the mechanisms for redress in the US enable EU-based data subjects to enforce their data protection rights.

In his opinion, advocate general Saugmandsgaard Øe said that the questions referred to the CJEU had "disclosed nothing to affect the validity" of the Commission's 2010 decision endorsing SCCs for data transfers.

Saugmandsgaard Øe characterised SCCs as providing a general mechanism of protection applicable to transfers irrespective of the third country of destination. Their purpose, he said, is to ensure continuity of the high level of protection of personal data provided by the General Data Protection Regulation (GDPR) on the basis of guarantees provided by the data exporter through the SCCs.

He said that EU laws on data transfers apply to transfers that form part of a commercial activity, and said that it was therefore immaterial, for the purposes of determining whether the Commission's SCCs decision was valid, whether the data that is transferred is subsequently processed by public authorities in third countries for national security purposes.

The advocate general said that public authorities in the US and other third countries are not bound by SCCs or the Commission's SCC decision. This fact, however, does not render SCCs invalid, he said, which leaves it open to the authorities to require organisations subject to their jurisdiction to comply with obligations that run contrary to the protections afforded by SCCs.

Saugmandsgaard Øe also considered whether the Commission's SCC decision is compatible with the EU's Charter of Fundamental Rights, which among other things provides qualified guarantees on the right to privacy and protection of personal data. The answer to that question rests on "whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour", he said.

According to the advocate general, the mechanisms will be deemed 'sufficiently sound' where the SCCs oblige data controllers – or data protection authorities in cases where controllers fail to act – "to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with". A clause in the SCCs currently oblige data importers to notify exporters if local laws they are subject to prevent them from providing the protections the SCCs are supposed to offer.

Carney said that this view emphasises that the burden of assessing the compatibility of the laws of the jurisdiction to which the data will be transferred rests with the exporting data controllers. He said this potentially puts controllers in a difficult position as they would be required to make a decision on a matter that most would consider to be for the European Commission or the courts to decide.

Data protection law expert Stephan Appt of Pinsent Masons said: "The opinion could embolden some data protection authorities in the EU, particularly some state regulators in Germany that have taken a keen interest in data transfer arrangements of companies previously, to prohibit SCCs-based data transfers in individual cases, under powers granted to them under the GDPR."

While Saugmandsgaard Øe said that he believes it is not necessary for the CJEU in this case to determine whether the EU-US Privacy Shield is valid, he admitted his analysis of the framework would "raise certain questions as to the validity of the assessments set out in the ‘Privacy Shield’ decision" in terms of whether it provides adequate data protection in the context of US electronic communications surveillance activities.

Carney said: "While the CJEU's decision in this case could have a major impact on the most popular legal tool used by the majority of businesses and organisations, now is the time for the data protection authorities and the European Commission to step up the pace to update SCCs in line with the GDPR and to assist businesses with alternative methods of transfer keeping the high standards of protection of the GDPR. Stopping global data flows is not the answer. Improving the protections for individuals when their data leaves the EU is."