Phew! Well, that was a close one! The Advocate General of the CJEU has just massively saved everyone’s bacon! In stating the the EU model clause are valid, we can continue to sleep safe in the knowledge that data can keeps flying around protected by the twelve or so clauses that have served so well for the last decade or more, without having to do very much more work than continue to copy and paste them into Data Processing Agreements and Contracts.
Except… that’s not really what ‘s just happened… or what the Advocate General of the CJEU has just said… or, indeed, how you’re supposed to use the Standard Contractual Clauses.
The case, brought by the Schrems team that brought us the original Safe Harbor ruling, was predicated on the same basic problem as in the original Schrems case (hence Schrems 2) – that when data is sent to be processed outside of the EU, it becomes accessible by the government of the country in which it is being processed – namely, in the case of Facebook Ireland, the government of the United States.
Further, that individual EU data subjects will not able to enforce remedies over that processing, and that the absence of controls to protect the rights of data subjects makes the use of the SCCs invalid in certain circumstances – which the Schrems had requested the Irish Data Protection Commissioner enforce, and suspend the transfer between Facebook Ireland and its US parent.
There would appear to be an element of reprimand to the Irish DPC in the AG’s opinion – that it was, really, for Irish DPC to take a view and act, rather than bump the case up to the CJEU. However, the opinion goes further than that.
The AG also that the Commission decision on the SCCs is valid, not because the clauses in themselves provide adequate safeguards in all circumstances, but because it’s the responsibility of the Data Controller/Exporter to take a view on whether the SCCs will be able to be enforced, and, potentially, whether the country’s security services may decide to snoop on the data held. And that if the Controller doesn’t do it, the supervisory authority should do so.
Starting with the first point, it is unclear how – when even other national governments don’t know the extent of intelligence apparatus of allies – individual companies are supposed to do so in a rational way. Can they be expected to make informed political, social and intelligence-based decisions – and should that be done on a vendor by vendor basis, or blanket across a whole jurisdiction? It becomes a judgement call on the part of the Controller or their DPO, based on… well what? Gut feeling? Prejudice?
So, the fallback position is that it will then be up to the competence of the Supervisory Authority – again, using what resource to make an adequate assessment is unclear. If the Court is going to confirm the AG’s view that it is for individual DP Authorities to decide – presumably using the Article 23 provisions – whether the SCCs can lawfully be used in each individual case then we are suddenly in a rather more complicated position, unless the EU Data Protection Board can come to common ground – and in which case, what then? A white list of jurisdictions where it’s okay to use the SCCs? That feels like Adequacy-lite and not really a sustainable position – placing much more onus on regulators, while also starting to play on the territory normally occupied by the Commission.
In a sense, it’s a difficult position to fault – the EU courts and commission cannot legislate (literally) for the actions of foreign security services, and recognise that national security is a primary duty of any government, and also a reserved matter in the EU treaty – for EU governments at least.
The problem is, though, that it does rather seem to throw the protections offered by almost any transfer mechanism (the AG repeatedly seems to note that any mechanism – including Privacy Shield – has to be subject to the review of any relevant Supervisory Authority, regardless of the Commission’s powers) under the large double-decker bus of ‘national security’, however any individual government decides to interpret it – and there is not exactly global consistency on that, after all.
Underneath all of this is that the SCCs are often used as a generic compliance tool, easy to drop in, oft-added simply to tick the compliance box. By rights, those days should already be departing – GDPR compliance is too complex to simply bolt on SCCs without front-ending other DP clauses – but those are often (in the author’s experience) not well understood, or, in some cases drafted.
Last year, I attended a briefing with the Irish DPC about BCRs, and she correctly made the point that BCRs are a vehicle for GDPR compliance – but that they don’t go much further than GDPR does anyway, especially with accountability measures included.
In the same vein though, the SCCs are also intended to provide that parity of protection to data subjects in the absence of other adequate safeguards. That is what the model clauses are intended to do. That is certainly what has to be read into the AG’s interpretation.
If that is to be the case then two things are necessary:
One, the Commission must hasten its work on revised Clauses, and clarify its own position on the elements of the AG’s view, alongside opinions from the EDPB. Clauses that are a decade old don’t help any of us in trying to comply with regulation that now has such large teeth.
Two, on the flipside, those preparing contracts must move on from treating the SCCs as just another bolt-on to tick the compliance box, and start really considering whether they work appropriately in a given circumstance – including, as argued by the AG, in respect of concern on how jurisdictions may treat data. It’s not uncommon for InfoSec colleagues to issue guidance on taking clean kit into certain jurisdictions – that may need to be considered for other types of data flows as well; the SCCs are not, and should not, be treated as a panacea.
In all, I don’t think the debate about the SCCs is exactly done and dusted – they may be ‘safe’ for now, in terms of validity – but with the onus placed back on Controllers and Supervisory Authorities to be more vigilant in their use, if that position is supported by the Courts in a few months time, it’s likely that many organisations will need to move, if not away from SCCs altogether, then at least to a position of using them in a far more considered way.
Privacy. Data. Ethics. 