Advocate General: Standard contractual clauses for the transfer of personal data to processors established in third countries is valid

20 Dec 2019 12:19 PM

The General Data Protection Regulation (GDPR), like the Data Protection Directive which it replaced, provides that personal data may be transferred to a third country if that country ensures an adequate level of protection of the data. In the absence of a decision of the Commission finding that the level of protection ensured in the third country in question is adequate, the data controller may nevertheless proceed with the transfer if it is accompanied by appropriate safeguards. Those safeguards may take the form, inter alia, of a contract between the exporter and the importer of the data containing standard protection clauses set out in a Commission decision. By Decision 2010/87/EU, the Commission established standard contractual clauses for the transfer of personal data to processors established in third countries. The present case concerns the validity of that decision.

The facts and the background to the dispute in the main proceedings

The dispute in the main proceedings has its origins in the proceedings initiated by Mr Maximillian Schrems, an Austrian Facebook user, which gave rise to a judgment of the Court of Justice delivered on 6 October 2015 (‘the judgment in Schrems’). 

The data of Facebook users residing in the EU, such as Mr Schrems, are transferred, in full or in part, from Facebook Ireland, the Irish subsidiary of Facebook Inc., to servers located in the United States, where they are processed. In 2013, Mr Schrems lodged a complaint with the Irish authority responsible for monitoring the application of the provisions relating to the protection of personal data (‘the supervisory authority’), taking the view that, in the light of the revelations made by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency or ‘NSA’), the law and practices of the United States do not offer sufficient protection against surveillance, by the public authorities, of the data transferred to that country. The supervisory authority rejected the complaint, on the ground, inter alia, that in a decision of 26 July 2000 the Commission had considered that, under the ‘safe harbour’ scheme,6 the United States ensured an adequate level of protection of the personal data transferred.

Click here for the full press release