A decision of the Court of Justice of the European Union (CJEU) is due this week that will decide whether businesses can continue relying on the so called standard contractual clauses (SCC). This decision concerns every global company that transfers personal data of customers, suppliers and employees in the course of its business. Under the EU General Data Protection Regulation (GDPR), each transfer from an entity within the European Economic Area (EEA) to a country outside the EEA requires specific safeguards if the European Commission (Commission) has not recognised the country as ensuring an adequate level of data protection.
In practice, one of the most common ways to safeguard the transfer of personal data out of the EEA is to use SCC which are standard contracts approved by the Commission. Under the SCC provisions, the importer of personal data that is subject to GDPR ensures certain guarantees regarding the processing of personal data.
While the SCC were not updated when the GDPR entered into force in May 2018, they remain very relevant to businesses and are still considered as valid. However, this view has been contested before the Court of Justice of the European Union (CJEU) by the privacy activist Maximilian Schrems.
The final judgment of the case is expected on 16 July 2020 and might declare the SCC invalid. Considering their importance for global companies, the upcoming judgment could have a major impact on the international flow of data.
The possible outcomes of the CJEU judgment
In 2015, the CJEU declared, in a case initiated by Schrems, that the Commission’s US Safe Harbor Decision, which allowed companies to transfer data from the EU to the US under certain conditions, was invalid.
In 2018, this case returned to the CJEU, which has since had to address the question of whether the SCC provide an adequate level of data protection within the meaning of the GDPR.
It is expected that the CJEU will, in its upcoming judgment, also review the validity of the EU-US Privacy Shield that followed as a replacement of the invalidated US Safe Harbor Decision. It is as a specific mechanism used by companies to ensure that data transfers from the EU to the US comply with EU data protection rules.
There are essentially three possible outcomes regarding the transfer of data to countries outside the EEA:
In line with the opinion of the Advocate General, the CJEU may find that the SCC do not violate EU privacy law without commenting on US law regarding the handling of personal data. European companies with operations in the US, for example, can therefore continue to rely on the SCC.
The CJEU considers SCC as valid transfer mechanisms but it may be critical with regard to US privacy provisions, which, in the view of the claimant, neither provide sufficient enforceable data protection rights for the data subjects nor sufficient remedies in this respect. This would not immediately impact the validity of the existing SCC but might trigger other proceedings tackling the validity of the EU-US Privacy Shield and the way companies rely on the SCC.
The CJEU declares the SCC invalid, and criticises US privacy provisions for lacking enforceable data protection rights and remedies. As a relief or transition period cannot be expected, this would immediately impact transfers based on the SCC. It will also affect the EU-US Privacy Shield.
Future of data transfers under the GDPR
The work of the Commission will be heavily influenced by this judgment.
In its second annual review of the GDPR, the Commission stated that ‘[t]he general view is that two years after it started to apply, the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU’. Nevertheless, there are some areas that the Commission is addressing for future improvement, including international data transfers.
In particular, the Commission has repeatedly stated that it is working on new SCC for international data transfers that are harmonised with the GDPR. These SCC will cover all transfer scenarios and are supposed to better take into account the modern business practices of the digital economy. Unless the judgment fundamentally criticises the principles underpinning the SCC, the Commission could make these tweaks fairly quickly.
The Commission is also working on additional adequacy decisions. In early 2019, the Commission declared that Japan ensures an adequate level of data protection measures and is currently assessing whether South Korea and the UK (after Brexit) do too.
The annual review also noted that the Commission wanted to pursue adequacy dialogues with other interested third countries. However, the Commission has stated that any future adequacy decisions will be influenced by the CJEU’s decision.
This week’s judgment may have a major and immediate impact on international data transfers, which is going to affect the decisions of the Commission and the operations of global companies. It remains to be seen whether the US will also be prepared to enter (again) into discussions about whether it has adequate data protection rules in the event the CJEU declares the SCC and, in consequence, the EU-US Privacy Shield invalid.