On 19 December 2019 the Advocate General with the European Court of Justice ("ECJ") Mr. Henrik Saugmandsgaard Øe published his opinion in the case "Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems" (case C-311/18; "Schrems II"). Companies transferring personal data to countries outside of the EU ("third countries"; "international data transfers") should pay particular attention to this case. In the future, a data protection supervisory authority ("DPA") could prohibit international data transfers although Standard Contractual Clauses ("SCC") have been agreed upon (and complied with). This could also impact other safeguards in the context of international data transfers (e.g. Binding Corporate Rules; "BCR").
This opinion is marked by numerous procedural questions as well as procedural directions. From a practical point of view, the following short term take away is relevant:
The Advocate General recommends the ECJ to continue to consider the decision of 5 February 2010 (2010/87/EU; "Decision 2010/87/EU") on the applicability of SCC to be lawful. The Advocate General sees no reason - regarding the present proceedings - to declare the Decision 2010/87/EU invalid.
Should the ECJ follow the Advocate General, companies can still use SCC to justify international data transfers. However, as a long term take away, this principle could turn into an exception. If the ECJ agrees with the view of the Advocate General, a radical change with regard to international data transfers could follow. Companies might no longer rely on safeguards in accordance with the General Data Protection Regulation ("GDPR") when transferring personal data to third countries. The Advocate General (probably) takes the view that a DPA can issue orders to suspend international data transfers in individual cases. Therefore, a DPA might in future prohibit international data transfers even though SCC have been agreed upon (and complied with) because of a different data protection level in a specific third country.
History and Background
This case has a longer history. The starting point is a complaint that Mr. Schrems filled with the Irish DPA.
In essence, Mr. Schrems challenged the legality of the transfer of personal data by Facebook Ireland Ltd. to Facebook, Inc. (based in California, U.S.A.; "Schrems I"). According to Mr. Schrems, the (now invalid) Safe Harbor Agreement did not provide an adequate level of data protection in the U.S.A. Among other...