3 February 2020
Notice to readers: This post is outdated. Please consult the GA4GH GDPR Forum’s analysis of the decision in Schrems II here.
Standard contractual clauses (SCCs) are the most common legal mechanism for international data transfers where the European Commission is yet to issue an “adequacy decision”, which finds that a third country’s data protection regime is “essentially equivalent” as the EU’s. Given the importance of SCCs to international data transfers, the December 2019 opinion of Advocate General Saugmandsgaard Øe (AG) on the suitability of standard contractual clauses (SCCs) in Facebook Ireland and Schrems, C-311/18 (“Schrems II”) has caused some consternation. While the opinion is only non-binding guidance for the Court of Justice of the European Union (CJEU), we wish to contextualise the AG’s findings and give readers indications regarding what to keep an eye out for when the CJEU gives its ruling.
So, what is notable about the AG Opinion?
On the scope of GDPR data transfer rules and SCCs:
The AG noted that SCCs are mechanisms for transfer “irrespective of the third country of destination and the level of protection guaranteed there.” While this is technically true, the level of protection guaranteed in a third country impacts the level of protection that the SCCs in that jurisdiction provide.
On the standard and method by which SCCs are assessed:
The AG opined that SCCs must meet the same standard of protection that applies to adequacy decisions – SCCs (i.e., the contractual relationship between the data exporter and importer) must provide “essential equivalence”’ in the protections they provide. Given the breadth of the considerations that go into an adequacy decision (e.g., human rights protections, existence and efficacy of independent supervisory authorities, etc. in the third country), this is potentially a demanding task. The result of failing such an assessment is the suspension of transfers based on the SCC in question.
When conducting such an examination, the AG noted that controllers must examine “all the circumstances characterizing each transfer.” This likely includes the criteria mentioned in b). Of particular interest to genomic and health-related research, the AG was of the opinion that the adequacy of each transfer is to be made by reference to the sensitivity of the data and security measures. Thus, where genomic and/or health-related data are implicated, it seems that exporting data controllers and their contractual partners should be more vigilant regarding the ability of contractual obligations to be met. As Kuner notes in his analysis of the AG Opinion, commercial data controllers are often in no position to offer an assessment of factors like the rule of law, human rights protections and so on.
The way in which these considerations are to be mediated is far from clear. Should the CJEU take a similar approach, additional guidance should be issued regarding the proper method for determining whether a third country’s law prevents the effective execution of contractual obligations pertaining to personal data protection, and in what way security measures and the data’s sensitivity are to be taken into account.
Given the reliance of SCCs for international data transfers for research and other purposes, what should we in the genomic research community keep an eye on? With the CJEU’s decision expected in the coming months, we should pay special attention to whether the Court takes the same approach to assessing SCC validity. Furthermore, we should look out for the decision in Quadrature du Net v. Commission, T-738/16. This case has been parked for the time being, awaiting the Schrems II decision, but focuses more squarely on Privacy Shield.
Relevant GDPR Provisions
Michael Beauvais works at the Centre of Genomics and Policy at McGill University in Montreal, Quebec, Canada.
Johan Ordish works for the PHG Foundation, a think tank with a special focus on genomics and personalised medicine that is a part of the University of Cambridge.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.