Data controllers who transfer data to the US from the EU have been eagerly following the proceedings in Ireland & Schrems (Case C-311/18) (Schrems II). On 19 December 2019 the Office of the US Attorney General issued its opinion on the 11 questions raised in that case, which basically converge upon the following two key issues which the CJEU is expected to rule on:
Despite the action being attributed in the media to Schrems, the question of the validity of the SCCs was sent to the CJEU entirely by the Irish Data Protection Commissioner (DPC). Both Schrems and Facebook have argued that the problems with the SCCs could be addressed by a targeted solution, as Article 4 of the SCCs purports to give regulators (including the DPC) the power to order Facebook to “suspend” the data transfers in individual cases.
The different positions of the parties are:
The Attorney General seems to generally agree with the position of Schrems on the point that the SCCs are valid. It is the data controller or, where they fail to act, the supervisory authority who is obliged to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the SCCs and those imposed by the law of the destination third country, those clauses cannot be complied with.
Whilst this will be a relief to the thousands of businesses who rely on the SCCs for daily transfers of data out of the EU to destination across the globe, it may still cause issues for some of the larger US organisations. Schrems concludes that, if the CJEU follows the Attorney General’s reasoning, this decision will limit the impact to companies (such as Facebook) that fall under a specific US surveillance law, including “FISA 702”. Only in this situation would the DPC be obliged to step in to suspend the data transfers.
Previously the European Commission has explicitly held that US surveillance law is compliant with EU law (in the ‘Privacy Shield decision’). Consequently, the questions raised in Schrems II also, inadvertently, challenge the Privacy Shield decision.
According to the Advocate General, the ruling on Schrems II does not require the Court to rule on the validity of the Privacy Shield decision and, in fact, the CJEU should not answer this question “with the sole aim of helping the DPC to deal with that complaint”.
Despite this, the Attorney General retains certain doubts over the privacy shield and sets out, in the alternative, the reasons that lead him to question the validity of the Privacy Shield decision in the light of the right to respect for private life and the right to an effective remedy. The opinion notes the inherent conflict between the requirement for the NSA to have access to, and intercept, data and the right to privacy of the EU data subject. An infringement of these rights can only be permitted if it is “provided for by law”. The Attorney General’s opinion casts doubt on “the sufficiently clear and precise nature… and the existence of sufficient guarantees to prevent the risk of abuse” in relation to FISA 702.
The Attorney General also discusses the perceived inadequacies with the Privacy Shield due to the lack of access to an effective remedy under US law. The European Commission has already recognized this and appointed an ombudsman under the Privacy Shield. However, the Attorney General, again, tends to agree with Schrems, noting that the ombudsman is not appointed as a matter of law and could be cancelled “without any particular guarantee” and that the ombudsman gives no guarantee of a remedy (such as rectification or erasure).
Whilst this opinion is a good indication of how the CJEU will rule in early 2020 (roughly 80% of rulings follow the Attorney General’s opinion) it is by no means a guarantee. Businesses that transfer data from the EU to the US should consider reviewing their data flows and preparing risk assessments to assess any dangers posed by a decision from the CJEU which calls into question to validity of the Privacy Shield or SCCs.