The Court of Justice of European Union (“ECJ”) is set to announced via its tweet that it will deliver its judgment on the validity of standard contractual clauses (“SCC”) and may also be moving forward with the European Union (“EU”) – United States (“US”) Privacy Shield Framework on July 16, 2020. Many organisations rely on SCC to transfer data outside the European Economic Area (“EEA”). The case before the ECJ arises out of a case filed by Mr. Max Schrems against Facebook for privacy violation (“Schrems II”). According to Mr. Schrems the data transferred from Facebook Ireland to Facebook is in breach of General Data Protection Regulation (“GDPR”) since the data protection provided by the US is not “adequate” as per Article 45 of GDPR which states that the third country shall have an adequate level of protection. It is his claim that the data in the US is accessed by the intelligence agencies and a proper remedy for a data breach is not available in the US to the extent required under GDPR.
Post the 2013 revelation by Edward Snowden of the surveillance program PRISM by the intelligence authorities in the US, Mr. Schrems had previously brought proceedings before the Irish Data Protection Commissioner (“Schrems I”). After an appeal in the case, the matter was referred to the ECJ to determine the legal validity of the Safe Harbour arrangement. Safe Harbour arrangement governed the data transfer between the EEA and the US before the Privacy Shield Framework. Under the safe harbor, the companies could voluntarily subscribe to international data transfer. The Advocate General (“AG”) of the ECJ, Yves Bot, issued his opinion in the matter and stated that the Safe Harbour must be declared invalid since it does not provide adequate legal protection under the EU laws. The ECJ relied on the opinion by Yves Bot to invalidate the Safe Harbour.
After the Safe Harbour was invalidated, the EU and the US immediately entered into negotiations for a new framework, and the EU-US Privacy Shield was formed. Under Privacy Shield, similar to Safe Harbour, a self-certification system is followed. An ombudsman in the US has been appointed however, the independence of such authority has also been questioned.
In Schrems II, the matter is not per se on the validity of SCC but on the processing of data in the US by the intelligence agencies and not having adequate remedies in place. This led to the question of all the data transferred from the EEA to the US by way of SCC or under the Privacy Shield. The AG- Henrik Saugmandsgaard Øe, on December 19, 2019, in his non-binding opinion stated that since the validity of Privacy Shield is not directly in question, it could be avoided. He further stated that the SCC is also a valid mechanism for data transfer, however, the parties to the SCC need to ensure that the countries outside the EEA have proper data protection laws and remedy, equivalent to that of the EEA. The position of Mr. Schrems is also that the SCC should not be invalidated.
The ECJ in its non-binding opinion stated that the SCCs are a valid mechanism for the transfer of data between EEA and non-EEA countries. Under SCC, the obligation to ensure data protection is specifically on data controllers since they are a party to such agreement. If a controller feels that data transfer to a particular authority or an organisation will not have an effective remedy entailed, the data transfer should not take place at all.
Euractiv reported that the European Commission is already preparing for different possibilities that may arise from the judgment. The companies should also consider such possibilities and ensure that they provide an effective remedy for the users in their arrangement for the transfer of data abroad. Further, the possibility of this judgment affecting other methods like Binding Corporate Rules (BCR) under Article 46 of the GDPR cannot be ruled out.
Comentarios