The Advocate General has published his opinion on the validity of the European Commission’s Standard Contractual Clauses. Long story short: he says they’re valid.
GDPR – and its predecessor the Data Protection Directive – permit data transfers outside the European data fortress (aka the EEA) to a “third country” provided the Commission has determined the receiving country has adequate data protection laws, such as for Canada, Israel, Switzerland and the USA (via the Privacy Shield). Alternatively, data transfers may occur where the data exporter has implemented appropriate safeguards, for example, by using the SCCs.
Maximillian Schrems successfully questioned the validity of personal data transfers through Facebook to the USA under the then “Safe Harbor” regime. The current Privacy Shield grew from those ashes. In this second case, Schrems was questioning the validity of the SCCs.
The AG said there was no conflict between the SCCs and GDPR or the Charter on Fundamental Human Rights of the European Union. As an aside he did raise questions over the validity of Privacy Shield, although that was not part of this case. Given the full court follows the AG’s opinion most of the time, it’s likely they’ll say the same too.
What does this mean?
- personal data transfers outside the EEA are valid by using the SCCs
- transfers to the USA under the Privacy Shield are valid — for now
What about Brexit?
Now that the new Conservative government has a resounding majority, it’s likely they will get Brexit through by 31 January 2020 on the basis of the last published deal. This has a transition period until 31 December 2020 during which time the UK is largely treated as a member of the EU. Transfers can continue from the UK to the rest of the EEA as usual. The Conservative government has raised the prospect of a no-deal Brexit on 1 January 2021. This might simply be brinkmanship again to get a favourable deal. In the meantime, you should check you are ready to use SCCs in your customer & supplier agreements, even where all parties are based inside the EEA. And the EU Commission just needs to update the SCCs so they refer to GDPR not the old Directive…
Still not sure and want advice? Or do you need assistance getting your data transfer agreements in shape? Get in touch with me by email email@example.com or phone +44 (0)20 7467 8742.