The European Court of Justice’s Advocate General has determined in a non-binding opinion on 19 Dec 2019 that transfer of data outside the European bloc is legal; a win for Facebook over the Irish Data Protection Commissioner (DPC).
“Standard contractual clauses (SCC’s) for the transfer of personal data to processors established in third countries is valid,” AG Henrik Saugmandsgaard determined, in a decision published by the Court of Justice. The Advocate General role is to propose a legal solution to court’s justices. The judges themselves are still deliberating and will rule at a later date, but the AG’s opinion represents a win and comes as a relief to businesses reliant on standard contractual clauses to underpin their outside EEA data transfers.
In 2013, Mr Schrems lodged a complaint with the Irish authority… taking the view that, in the light of the revelations made by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency, the law and practices of the United States do not offer sufficient protection against surveillance, by the public authorities, of the data transferred to that country. The Schrems II case seeks to confirm that a number of different data transfer mechanisms… cannot be used without significant due diligence by EU businesses with material risks if they get the judgements wrong.
The AG’s opinion suggests that these are issues for the Commission and Government and not individual businesses, suggesting that standard contractual clauses remain a solid basis for transferring data outside the EU. They will therefore be an important tool for UK businesses to receive data from the EU post Brexit, and make an adequacy finding a desirable rather than critical aspect of the forthcoming trade negotiations.