October 27, 2021

Volume XI, Number 300

Advertisement
Advertisement

October 27, 2021

Subscribe to Latest Legal News and Analysis

October 26, 2021

Subscribe to Latest Legal News and Analysis

October 25, 2021

Subscribe to Latest Legal News and Analysis

EU Standard Contractual Clauses Likely to Survive for Now, but Risks Remain

On December 19th the EU Advocate General for the European Court of Justice issued an advisory opinion to the court in the case known as Schrems II. The main question presented to the court is the validity of the EU standard contractual clauses (SCCs) or model clauses as they are also known. Although the context of the case is transfers from the EU to the US, it has been uncertain whether the court would make any conclusions as to the more general viability of these widely used contracts for personal data transfers.

Although the Advocate General’s (AG) opinion is not binding on the court, the court often relies upon the AG’s opinion. So, what are the lessons that appear in the AG’s opinion?

  1. The SCCs issued by the European Commission (EC) are fine, in and of themselves, to use as a legal basis for transferring data to a third party in a jurisdiction that does not have what the EU considers to be adequate privacy protections;

  2. The EC’s 2010 decision (2010/87/EU) with respect to the use of SCCs states that the EC – in making the SCCs available – does not mean that a data controller or an EU member state Supervisory Authority (f/k/a DPAs) must use them or must find the SCCs to be effective protecting EU data in every instance;

  3. It is acknowledged that there may be circumstances in which either the data importer has breached the requirements of the clauses or that the data importer is otherwise incapable of protecting the data (which might occur in a jurisdiction in which rogue national security regimes wantonly vacuum up all personal data, without naming any names). In such circumstances, the SCCs would perhaps not be effective;

  4. It is therefore the responsibility primarily of the data controller and secondarily of the Supervisory Authority to determine whether the SCCs are effective in a particular circumstance; and

  5. Oh, by the way, the AG has reservations about the Privacy Shield validity and all but invites relitigation of that transfer mechanism.

So, this suggests that SCCs remain an official choice for now, but break not out the bubbly. This means that each EU data controller is further put on notice about transfers to a) companies and b) jurisdictions. If a US importing company experiences a data breach with EU data received under SCCs that would almost certainly constitute grounds for termination of the SCCs unless the EU data controller can assure itself that the company’s protections remain effective. 

More significantly however, EU data controllers and Supervisory Authorities have been more clearly authorized to decide by themselves that the nature of the US government is such that no US importer could possibly comply with the SCCs by preventing disclosure to the USG. It seems unlikely a data controller would make that decision, though a conservative data protection regulator might take that approach. To do so would be inconsistent with the latest health check of Privacy Shield – which suggests that US national security is behaving. The final paragraph of the press release suggests that the AG is skeptical of Privacy Shield. If Privacy Shield falls, then there would be a potential basis for EU exporters and more likely SAs to prohibit US transfers.

Stay tuned, as EU privacy developments continue at a rapid pace.

Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 353
Advertisement

About this Author

Peter McLaughlin Privacy & Data Attorney Womble Bond
Partner

Peter McLaughlin is a Privacy & Data Security attorney who advises clients with respect to a broad range of technology transactions, privacy and security issues. While maintaining a broad privacy practice, Peter focuses on innovative uses of data, especially with the life sciences and digital health sectors. He also guides clients in their domestic and international handling of personal information; new product development; and the assessment of legally defensible cybersecurity programs. The Legal 500 has recognized Peter’s work in the area of data protection and...

857.287.3113
Advertisement
Advertisement
Advertisement