The Schrems II Case: The AG's Opinion
This webinar was originally broadcast on February 4, 2020.
The Schrems II decision was a landmark moment for cross-border data transfers under the General Data Protection Regulation (GDPR). The outcome of the judgment left many data controllers and data processors having to re-think the way they handle personal data transfers, ensuring the transfer mechanisms they have in place are compliant with EU data protection law and ensuring that the fundamental rights of EU data subjects are protected.
However, in the build-up to the Court of Justice of the European Union (CJEU) issuing their final decision in the Schrems II case, the Advocate General (AG) of the CJEU issued his opinion. OneTrust DataGuidance hosted a webinar alongside a panel of expert speakers who examine the transfer of personal data, the validity and effectiveness of standard contractual clauses (SCCs) as a data transfer mechanism, and the EU-US Privacy Shield framework. The panel also discussed the key findings of the AG’s Opinion and addressed four key questions offering insight into the practical implications of the Opinion.
Key Takeaways from the AG's Opinion on Schrems II
SCCs are valid
One of the key findings in the AG’s Opinion was the validity of the European Commission’s SCCs. During this webinar, the panel discussed the importance of the safeguards provided by SCCs and how organizations can manage implementation. While SCCs can facilitate safe data transfers, the validity of SCCs depends on the safeguards these clauses provide.
According to the AG's Opinion, it is advisable that organizations approach the use of SCCs on a case-by-case basis with consideration of third-country national law and the practical implications that the terms of the SCCs impose on data importers and EU data exporters of data. In particular, organizations should address the capabilities of each side to implement appropriate safeguards, be well equipped to facilitate the adoption of safeguards, and manage any obstacles that may restrict the terms of an SCC.
SCCs should not be considered a ‘tick box’ exercise
When working with SCCs, both parties involved in the transfer of data need to ensure the other is capable of compliance. In the view of the AG, SCCs should not be signed without insurance or guarantee that the other party will comply in practice. During this webinar, the panel noted by way of example that businesses could conduct regular audits of major vendors to check compliance with relevant clauses.
BCRs and alternative derogations
Within the discussion, the panel considered potential alternatives to SCCs, referencing the decision taken by the CJEU in the Schrems I case in 2015 which invalidated the EU-US Safe Harbor framework. The discussion highlighted that the use of Binding Corporate Rules (BCRs) continues to enable data transfers within an organization and alternative mechanisms to legitimize data transfers, such as derogations in relation to consent or contracts with data subjects, are subject to narrow interpretation.
The importance of supervisory authorities
The AG also highlighted the importance of supervisory authorities for ensuring that the safeguards used for international data transfers to third countries are suitable. In order for SCCs to be an effective measure, the terms of SCCs must be closely supervised.
The AG said, “a supervisory authority must examine with all due diligence the complaint lodged by a person whose data are alleged to be transferred to a third country in breach of the standard contractual clauses applicable to the transfer [...] where appropriate, it must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means.”