On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case.

In brief, the AG recommended that the CJEU find that Decision 2010/87 (setting out standard contractual clauses for controller to processor transfers) should not be invalidated. The Opinion also concluded that the Court did not need to rule on the validity of the EU-U.S. Privacy Shield to decide Schrems II.

Background

The case stems from a complaint filed by Mr. Max Schrems with the Irish Data Protection Commissioner (“IDPC”) challenging Facebook Ireland’s use of the 2010 clauses to transfer his personal data to the United States. The IDPC, concerned about the protections afforded to EU data subjects by U.S. law, asked the Irish High Court for guidance. The High Court in turn asked the CJEU a series of questions about the validity of the clauses and the adequacy of the U.S. regime.

For more information on the background, please see our prior press release here.

AG’s Opinion

In an Opinion that spanned over 90 pages, the AG concluded:

  • The CJEU should not invalidate the 2010 Standard Contractual Clauses (“SCC”) Decision. The AG concluded that, based on his analysis of the matter, there was “nothing to affect the validity of Commission Decision 2010/87/EU” (para. 5). The validity of contractual clauses, in his view, did not depend on the adequacy of the U.S. regime; instead, it “depends only on the soundness of the safeguards which those clauses provide in order to compensate for any inadequacy of the protection afforded in the third country of destination” (para. 124). The AG concluded that the clauses provide a framework that allows parties to put in place the necessary safeguards.
  • Whether the SCCs can be used for a particular transfer to a particular country requires a case-by-case assessment. As the AG explained, data exporters — with support from data importers — must make an initial assessment of whether SCCs can in fact be used for a particular transfer. When making this assessment, consideration should be given to “all of the circumstances characterising each transfer, which may include the nature of the data and whether they are sensitive, the mechanisms employed by the exporter and/or the importer to ensure its security, the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country” (para. 135).
  • Where a Supervisory Authority concludes that a particular transfer made via the clauses is unlawful, it must intervene. If a data subject complains about the export of his or her data to a third country, a Supervisory Authority must examine the complaint “with all due diligence” (para. 146). When the Authority concludes that the clauses are not being complied with, the Authority has no discretion: it must take remedial measures including, where appropriate, suspending the transfer (para. 140).
  • The Court does not need to decide the validity of the Privacy Shield to rule in Schrems II. The AG concluded that it would be “premature” for the Court to rule on the validity of the Privacy Shield in this case (para. 166) — instead, this should be left to the General Court (which currently has a challenge to the Privacy Shield pending before it). Nonetheless, the AG made a number of observations on the validity of the Privacy Shield Decision, noting several points he viewed as shortcomings.

Next Steps

We anticipate the CJEU’s judgment to be announced in the first quarter of 2020. As noted, the AG’s Opinion provides guidance to the CJEU, but does not bind it. While the Court often follows the AG’s Opinion, it does not always do so.

If you have any questions concerning the material discussed in this client alert, please feel free to contact any of the members of our Privacy practice (details provided below). Covington will also be hosting a webinar on Wednesday January 8, 2020, in which we will be discussing the implications of the AG opinion in more detail.  Click here to join us.

Tags: Data Protection, European Union (EU)
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lisa Peets Lisa Peets

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more…

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more than two decades, she has worked closely with many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, artificial intelligence, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services.

Lisa also supports Covington’s disputes team in litigation involving technology providers.

According to Chambers UK (2024 edition), “Lisa provides an excellent service and familiarity with client needs.”

Read more about Lisa PeetsEmail
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Bart Van Vooren Bart Van Vooren

Bart Van Vooren, partner leads a dynamic practice at the intersection of EU regulatory law, global health, and biodiversity law. In these fields, he advises innovative pharmaceutical, food, cosmetic and technology companies on complex EU and global regulatory, compliance and policy assignments.

Bart…

Bart Van Vooren, partner leads a dynamic practice at the intersection of EU regulatory law, global health, and biodiversity law. In these fields, he advises innovative pharmaceutical, food, cosmetic and technology companies on complex EU and global regulatory, compliance and policy assignments.

Bart holds a Ph.D. in EU and International Law and was a professor of EU law until 2013. During that time, he wrote the first-ever handbook with Cambridge University Press on “EU External Relations Law” (2014). He then transitioned to private practice, and frequently acted for the Belgian government before the EU Court of Justice (e.g. C-16/16P Belgium vs Commission). Bart joined Covington in 2016, leading some of our most consequential EU litigation proceedings (e.g. C-311/18 “Schrems II”) over the years.  Having handled nearly 50 cases before the EU Court, he’s uniquely qualified to support our corporate clients in our most high-stakes disputes. Recent examples include T-189/21 Aloe Vera of Europe v Commission (which we won, so the Commission decided to appeal); as well as T-201/21 Covington & Burling and Van Vooren v Commission (which we also won, and hence is also on appeal).

As a pioneer in biodiversity law, over the past 15 years Bart has built a unique, global practice on Access and Benefit-Sharing (ABS) laws under the Convention on Biological Diversity, the Nagoya Protocol, the Plant Treaty, the High Seas Treaty and the WHO Pandemic Agreement. ABS compliance is critical when sourcing biological materials for life sciences R&D and I work with many of the world’s innovative life sciences companies on the whole range of e.g. transactional, contractual, compliance, IP, (EU) regulatory and litigation work relating to ABS. As biodiversity has increasingly become identified as a major commercial and financial risk to companies, so has the practice expanded to e.g. biodiversity credit markets, biodiversity insurance, biodiversity claims and advertising, and so on. Since April 2025, Bart has been appointed as the industry representative to the Steering Committee of the UN Biodiversity Fund that seeks funding from the private sector for biodiversity conservation and restoration.

Bart also pioneered our global health practice. He has advised pharmaceutical clients on seasonal and pandemic influenza since 2016. Since then, this practice area expanded to cover all matters relating to infectious diseases, and as of 2020, emergency preparedness and response (eg. WHO prequalification, International Coordination Group negotiations, Emergency Use Listing, International Health Regulations Rev 2024). He has been the pharmaceutical industry’s lead lawyer advising on the WHO Pandemic Treaty negotiations, adopted on 14 May 2025. Currently, he continues to advise on the work of the Intergovernmental Working Group (“IGWG”) teasing out the technical details of the “Pathogen Access and Benefit-Sharing System” intended to create legally binding obligations on companies to commit vaccines, therapeutics and diagnostics in case of a new global health emergency.

In Chambers rankings, clients have kindly described Bart as “very knowledgeable, action-focused and service-focused lawyer”, adding that he “really tries to find a way of working through challenges”, am “customer-oriented” and provide “sound advice and reasonable options for our business with pros and cons.”

Finally, Bart has an active pro bono practice assisting NGOs defending the human rights of persons with a disability through strategic litigation before the EU Court.

Read more about Bart Van VoorenEmail
Show more Show less
Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Read more about Sam Jungyun ChoiEmailSam Jungyun's Linkedin Profile
Show more Show less