Advocate General, Henrik Saugmandsgaard Øe of the Court of Justice of the European Union (CJEU) has just handed down his opinion in response to a referral by the High Court of Ireland for preliminary rulings of law. The High Court case in question related to complaints made by Max Schrems against Facebook Ireland and Facebook Inc concerning the transfer of Mr Schrems' personal data to the United States (U.S).
The Advocate General's (AG's) Opinion will be used in deliberations by the Court and whilst not binding, is persuasive and gives a good indication of what the CJEU may eventually rule.
The referral by the Irish High Court was in response to a request by Irish Data Protection Commissioner (DPC) for the court to provide a ruling so that it may adjudicate Mr Schrems' complaints.
Mr Schrems had argued that transfers of personal data from Facebook Ireland to its parent company, Facebook Inc in the U.S failed to ensure an adequate level of protection of the data transferred in accordance with the General Data Protection Regulation (GDPR) and its predecessor and requested the Irish DPC to suspend transfers to the U.S entity. This was on the basis that certain U.S surveillance laws and measures used by U.S government authorities, including the National Security Agency allowed the U.S government to intercept and collect content transmitted from Facebook Ireland by methods including access via underwater cables on the floor of the Atlantic Ocean.
Mr Schrems had complained to the Irish Data Protection Commission that by these laws, Facebook Inc would be required to make personal data of its users available to the U.S authorities and would infringe on his rights to privacy. Mr Schrems requested the Irish DPC to suspend such transfers. Mr Schrems had called into question the effectiveness of the legal basis on which Facebook relied to make the transfers, namely standard contractual clauses (SCCs) approved by the European Commission and also the validity of the “privacy shield” adequacy decision. The Privacy Shield is a program approved by the European Commission allowing private U.S organisations to obtain certification designed to afford a level of protection to individuals transferring their personal data to such organisations. A transfer of personal data to an organisation registered with Privacy Shield is currently one method to lawfully transfer personal data to the U.S.
In summary, the AG considered that notwithstanding the submissions put forward by the parties and a number of interveners, the validity of the SCCs should remain unaffected. This is because whilst the laws in the place of receipt may be found to be inadequate, the SCC provisions themselves are “compensation” for the lack of such adequacy. However, if the laws of the place of receipt prevents the recipient from complying with the SCCs (such as the surveillance laws in question) then it is up to the exporter of data to either suspend the transfers or terminate the SCCs. If the exporter chooses not to suspend the transfers or terminate the SCCs, it must notify the relevant supervisory authority (in the UK, this is the Information Commissioner’s Office) and that authority then has the power to itself suspend those transfers.
The AG declined to provide a formal opinion on 6 out of the 11 questions concerning the validity of the Privacy Shield protections and counselled the CJEU not to consider these questions in light of the particular facts of the case.
Notwithstanding this, the AG expressed a number of doubts concerning the level of protection afforded by Privacy Shield and these concerns will no doubt be noted by the CJEU.
A decision of the CJEU should be forthcoming in 2020.
For further information about this case or about privacy and data protection, please contact Chrysilla de Vere, Head of Clarkslegal LLP's Privacy and Data Protection Team.