EU-US data transfers are “valid” according to EU Advocate General
Friday, 20 December 2019A Court of Justice of the European Union (CJEU) Opinion published on 19 December 2019 by Advocate General (AG) Henrik Saugmandsgaard Øe in Case C-311/18 Facebook Ireland and Schrems will come as good news for organisations transferring data to third countries. The AG concluded that Standard Contractual Clauses (“SCCs”) are valid with regard to transatlantic data transfers. SCCs are standard sets of contractual terms and conditions which senders and receivers of personal data mutually adhere to when data is exported from the European Economic Area.
The case arose from a preliminary reference made by the Irish High Court to the CJEU on foot of a challenge brought by Austrian privacy activist Max Schrems to Facebook’s use of SCCs to transfer data from Facebook Ireland to servers located in the United States, on the basis that those clauses do not adequately safeguard individuals’ data protection rights. It is essentially a reformulation of a similar previous complaint brought by Schrems following a decision by the CJEU that the prior EU-US “safe harbour” scheme was invalid in 2015.
The AG Opinion concluded that SCCs are valid and that the validity of Decision 2010/87/EU has not been affected. The AG also noted that the “appropriate safeguards” in SCCs must actually ensure a level of protection equivalent to the GDPR. The publication of the Opinion is a positive development for companies that routinely transfer data outside the EU. AG Opinions are advisory legal views prepared by appointed senior judges to assist the CJEU in its deliberations on a case. Although not legally binding, AG Opinions are followed in up to 90% of cases before the European Courts with the substantive CJEU judgment usually expected within a number of months. The Data Protection Commission (DPC) has welcomed this decision.
For further information or advice, please contact Seán O'Donnell, Richard Hourihan, or any member of the ByrneWallace Data Protection/GDPR Team.