left-caret

PH Privacy

Has the Advocate General Just Given Many Businesses an Early Christmas Present?

December 19, 2019

Sarah Pearce and Ashley Webber

In a press release1 issued this morning, Advocate General Saugmandsgaard Øe, has confirmed that, in his opinion, the Court of Justice of the European Union (“Court of Justice”) should declare the Commission Decision (2010/87/EU) on standard contractual clauses (“SCCs”) for the transfer of personal data to processors established in third countries as valid.
The dispute in the main proceedings has its origins in the proceedings initiated by Mr Schrems, an Austrian privacy activist.  Mr Schrems first lodged a complaint with the Irish data protection authority in 2013 in relation to Facebook Ireland transferring personal data of users in Europe to Facebook Inc. in the United States.  Fast forward over 6 years, several decisions and reformulated claims, the Court of Justice has been asked by the Irish data protection authority to consider whether the use of standard contractual clauses offers sufficient safeguards as regards the protection of those citizens’ freedoms and fundamental rights.  In response, the Advocate General proposes that the Court of Justice reply to the questions in the complaint from Mr Schrems as follows: nothing has been disclosed to affect the validity of Decision 2010/87, i.e. the SCCS for the transfer of personal data to processors are still valid.

It is worth noting that this is not the final decision of the Court of Justice which remains to be issued.  That said, the opinion of the Advocate General, while not binding, is held in high regard by the Court of Justice and often followed.  Therefore, for many businesses relying on the SCCs for the transfer of personal data to processors outside of the European Economic Area, this news will come as a great relief: they can continue to rely on the SCCs as the lawful transfer mechanism.  Further, for those businesses currently transferring personal data from a country in Europe to a processor in the UK, post-Brexit2, the SCCs are set to remain a valid transfer mechanism.


[1] https://www.euractiv.com/wp-content/uploads/sites/2/2019/12/CP190165EN.pdf

[2] https://www.paulhastings.com/publications-items/blog/ph-privacy/ph-privacy/2019/11/13/brexit-what-does-this-mean-for-data-privacy