On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case.

In brief, the AG recommended that the CJEU find that Decision 2010/87 (setting out standard contractual clauses for controller to processor transfers) should not be invalidated. The Opinion also concluded that the Court did not need to rule on the validity of the EU-U.S. Privacy Shield to decide Schrems II.

Background

The case stems from a complaint filed by Mr. Max Schrems with the Irish Data Protection Commissioner (“IDPC”) challenging Facebook Ireland’s use of the 2010 clauses to transfer his personal data to the United States. The IDPC, concerned about the protections afforded to EU data subjects by U.S. law, asked the Irish High Court for guidance. The High Court in turn asked the CJEU a series of questions about the validity of the clauses and the adequacy of the U.S. regime.

For more information on the background, please see our prior press release here.

AG’s Opinion

In an Opinion that spanned over 90 pages, the AG concluded:

  • The CJEU should not invalidate the 2010 Standard Contractual Clauses (“SCC”) Decision. The AG concluded that, based on his analysis of the matter, there was “nothing to affect the validity of Commission Decision 2010/87/EU” (para. 5). The validity of contractual clauses, in his view, did not depend on the adequacy of the U.S. regime; instead, it “depends only on the soundness of the safeguards which those clauses provide in order to compensate for any inadequacy of the protection afforded in the third country of destination” (para. 124). The AG concluded that the clauses provide a framework that allows parties to put in place the necessary safeguards.
  • Whether the SCCs can be used for a particular transfer to a particular country requires a case-by-case assessment. As the AG explained, data exporters — with support from data importers — must make an initial assessment of whether SCCs can in fact be used for a particular transfer. When making this assessment, consideration should be given to “all of the circumstances characterising each transfer, which may include the nature of the data and whether they are sensitive, the mechanisms employed by the exporter and/or the importer to ensure its security, the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country” (para. 135).
  • Where a Supervisory Authority concludes that a particular transfer made via the clauses is unlawful, it must intervene. If a data subject complains about the export of his or her data to a third country, a Supervisory Authority must examine the complaint “with all due diligence” (para. 146). When the Authority concludes that the clauses are not being complied with, the Authority has no discretion: it must take remedial measures including, where appropriate, suspending the transfer (para. 140).
  • The Court does not need to decide the validity of the Privacy Shield to rule in Schrems II. The AG concluded that it would be “premature” for the Court to rule on the validity of the Privacy Shield in this case (para. 166) — instead, this should be left to the General Court (which currently has a challenge to the Privacy Shield pending before it). Nonetheless, the AG made a number of observations on the validity of the Privacy Shield Decision, noting several points he viewed as shortcomings.

Next Steps

We anticipate the CJEU’s judgment to be announced in the first quarter of 2020. As noted, the AG’s Opinion provides guidance to the CJEU, but does not bind it. While the Court often follows the AG’s Opinion, it does not always do so.

If you have any questions concerning the material discussed in this client alert, please feel free to contact any of the members of our Privacy practice (details provided below). Covington will also be hosting a webinar on Wednesday January 8, 2020, in which we will be discussing the implications of the AG opinion in more detail.  Click here to join us.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Bart Van Vooren Bart Van Vooren

Bart Van Vooren has a broad life sciences practice supporting innovative pharmaceutical, food, medtech and biotech companies on EU regulatory, commercial and strategic policy assignments. He is widely recognized for his expertise on general EU law and procedure, as well as his extensive…

Bart Van Vooren has a broad life sciences practice supporting innovative pharmaceutical, food, medtech and biotech companies on EU regulatory, commercial and strategic policy assignments. He is widely recognized for his expertise on general EU law and procedure, as well as his extensive litigation experience before the EU Court of Justice in dozens of cases.

Over the past seven years, Mr. Van Vooren has developed a niche practice on compliance with the Biodiversity Convention and the Nagoya Protocol, a set of rules to combat bio-piracy worldwide. He has accumulated unique, practical experience in dozens of jurisdictions around the world, and has handled everything from benefit-sharing negotiations, over compliance programs, to inspections by authorities.

Finally, Mr. Van Vooren has an active pro bono practice assisting NGOs defending the human rights of persons with a disability through strategic litigation.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.