EU Standard Contractual Clauses Likely To Survive For Now, But Risks Remain

Author:Mr Peter F. McLaughlin
Profession:Womble Bond Dickinson

On December 19th the EU Advocate General for the European Court of Justice issued an advisory opinion to the court in the case known as Schrems II. The main question presented to the court is the validity of the EU standard contractual clauses (SCCs) or model clauses as they are also known. Although the context of the case is transfers from the EU to the US, it has been uncertain whether the court would make any conclusions as to the more general viability of these widely used contracts for personal data transfers.

Although the Advocate General's (AG) opinion is not binding on the court, the court often relies upon the AG's opinion. So, what are the lessons that appear in the AG's opinion?

The SCCs issued by the European Commission (EC) are fine, in and of themselves, to use as a legal basis for transferring data to a third party in a jurisdiction that does not have what the EU considers to be adequate privacy protections; The EC's 2010 decision (2010/87/EU) with respect to the use of SCCs states that the EC - in making the SCCs available - does not mean that a data controller or an EU member state Supervisory Authority (f/k/a DPAs) must use them or must find the SCCs to be effective protecting EU data in every instance; It is acknowledged that there may be circumstances in which either the data importer has breached the requirements of the clauses or that the data importer is otherwise incapable of protecting the data (which might occur in a jurisdiction in which rogue national security regimes wantonly vacuum up all personal data, without naming any names). In such circumstances, the SCCs would perhaps not be effective; It is therefore the responsibility primarily of the data controller and secondarily of the Supervisory Authority to determine whether the SCCs are effective in a particular circumstance; and Oh, by...

To continue reading