Alert December 20, 2019

Long Live the Model Clauses?

The Advocate General has issued an Opinion which states that the European Commission’s decision, enforcing the Standard Contractual Clauses (SCCs), is valid.

The General Data Protection Regulation (GDPR) restricts transfers outside of the European Economic Area (EEA) to third countries (for example, the United States), unless an appropriate safeguard (recognised under the GDPR) has been put in place. An example of an appropriate safeguard is the SCCs, issued by the European Commission, which controllers based in the EEA can put in place with recipients based outside the EEA to legitimise data transfers. The case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C‑311/18) concerns the validity of the SCCs (another appropriate safeguard for transfers from the EEA to the US is certification to the EU-U.S. Privacy Shield Framework which is the subject of a separate legal challenge by Mr. Schrems).

Facebook Ireland relied on the SCCs to legitimise transfers to its parent company in the United States. Mr Schrems challenged the company’s reliance on the SCCs as he alleged there is no remedy that would allow individuals to invoke their right to respect for private life and to the protection of personal data in the United States. The Irish Data Protection Commissioner brought proceedings before the High Court in Ireland requesting it to refer the question to the Court of Justice of the EU.

The Advocate General has disagreed with Mr. Schrems’ challenge, stating that the SCCs are still valid. In particular, he has concluded that the fact the SCCs are not binding on the authorities of the third country and therefore do not prevent them from imposing obligations that are contrary to the requirements of those clauses on the recipient company, does not in itself render the SCCs invalid. The Advocate General found that the SCCs are valid because: (i) the contractual commitments of the parties to them are aimed at ensuring adequate protection for the personal data; and (ii) there is an obligation on the controller and the authorities to suspend or prohibit a transfer when the clauses cannot be complied with.

This is a landmark case as the SCCs are relied on by many EEA-based companies that transfer their personal data outside the EEA, and have no other practical means of transferring such data. Suffice it to say, a decision which renders these SCCs invalid would cause a major disruption to many data flows from the EEA.

Note, that the Advocate General’s Opinion is not binding on the Court of Justice. The role of the Advocates General is to propose a solution, but the Court of Justice rarely departs from the Advocate General’s opinion so this is a strong indication that the SCCs will survive. Judgment will be given at a later date – so we will be keeping a close eye on the conclusion of this case.

Goodwin’s Key GDPR team members include Gretchen ScottCurtis McCluskey, Federica De Santis, Jackie Klosek and Eric DiIulio.

To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Gretchen Scott, Technology and Privacy & Cybersecurity partner in London.

Goodwin’s Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration and Legal 500 Recommended Lawyer; a Legal 500 “Leading Lawyer;” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as three other; Legal 500 Cyber Law ranked partners; several former federal prosecutors; and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe