An EU court ruling yesterday has raised questions over the validity of the Privacy Shield data sharing framework between Europe and the US, although it confirmed the legality of standard contractual clauses (SCCs), with caveats.
The opinion of advocate general (AG) of the EU Court of Justice, Henrik Saugmandsgaard Øe, stems from the infamous Facebook-Max Schrems case in which a complaint by the latter claimed that transfer of his data from the EU to the US by the social network infringed his privacy rights.
That led to the end of the Safe Harbor data sharing agreement between the EU and US in 2015, because the latter’s bulk surveillance programs, as revealed by Edward Snowden, were considered to imperil Europeans’ privacy rights without providing any adequate cause of redress.
The new opinion issued by the advocate general indicates the EU still has concerns over Safe Harbor’s successor, Privacy Shield.
“According to the advocate general, the resolution of the dispute in the main proceedings does not require the court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87,” a statement from the Court of Justice noted.
“Nevertheless, the advocate general sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”
However, SCCs are still a valid and legal way to transfer data to and from a “third country” (i.e. one outside the EU), despite the US surveillance regime, the opinion found.
The caveat is that data protection authorities in the trading bloc must keep an eye on the conditions within these third countries.
There is an obligation on them “to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.”
Overall, this is good for business and will ease fears about data flows post-Brexit as the UK will effectively become a third country at that time, according to experts.
“The advocate general’s opinion that the EU SCCs remain valid will be welcomed by business on both sides of the Atlantic, as the SCCs are one of the key mechanisms that underpin transfers of personal data to countries outside of the EU, including to the US,” said Bridget Treacy, partner at law firm Hunton Andrews Kurth.
“Despite the continuing validity of the SCCs, the AG points out that businesses that rely on the clauses still need to assess whether the recipient can comply with the clauses in relation to each particular transfer, and suspend transfers when that is not the case. Furthermore, EU data protection supervisory authorities have the power to suspend data transfers pursuant to the SCCs when an adequate level of protection for personal data cannot be provided in light of local laws and practices in the recipient country.”
The AG’s decision is not legally binding, but the European Court of Justice, which is hearing the case next year, usually follows the same thinking.