- The Advocate General considers the EU standard contractual clauses to be effective for the transfer of personal data to third countries.
- Laws of the recipient country can undermine clauses, but do not automatically render them ineffective.
- The exporter must stop the transfer if the importer cannot comply with the clauses.
- Supervisory authorities are obliged to investigate violations and, if necessary, suspend the transfer of data.
The Advocate General of the ECJ (Attorney General, AG; Henrik Saugmandsgaard Øe) considers the data transfer rules adopted by the EU Commission for data transfer to third countries to be Standard Contractual Clauses for effective. His recommendation is here in english retrievable.
Schrems had argued before the referring court, the Irish High Court, as follows:
In his reformulated complaint, Mr. Schrems claims, first, that the clauses in that agreement [basis of data transfer within the Facebook group to the U.S.] are not consistent with the standard contractual clauses set out in Decision 2010/87 and, secondly, that those standard contractual clauses could not in any event justify the transfer of the personal data relating to him to the United States. Mr. Schrems claims that there is no remedy that would allow the persons concerned to invoke, in the United States, their rights to respect for private life and to protection of personal data.
With regard to the effectiveness or validity of the standard contractual clauses, the AG initially states that the standard contractual clauses are an agreement between the parties. inter partes the Do not bind authorities of the recipient state and whose law may provide for obligations that conflict with the requirements of the standard contractual clauses:
125 In that regard, as, in essence, the DPC, Mr Schrems, the BSA, Ireland, the Austrian, French, Polish and Portuguese Governments and the Commission have submitted, the safeguards in the standard contractual clauses may be reduced, or indeed eliminated, when the law of the third country of destination imposes obligations that are contrary to the requirements of those clauses on the importer. Thus, the prevailing legal context in the third country of destination may, depending on the actual circumstances of the transfer, (48) make the obligations set out in those clauses impossible to implement.
However, this does not lead to the invalidity of the standard contractual clauses. This is because these require the data exporter to Stop transmissionif the recipient violates or fails to comply with its obligations:
132 To my mind, and as Mr Schrems and the Commission have maintained, Clause 5(a) cannot be interpreted as meaning that suspension of the transfer or termination of the contract is merely optional where the importer cannot comply with the standard clauses. Although that clause refers only to a right in that sense for the benefit of the exporter, that wording must be understood by reference to the contractual framework of which it forms part.. The fact that the exporter is given a right, in its bilateral relations with the importer, to suspend the transfer or terminate the contract where the importer is unable to honor the standard clauses is without prejudice to the obligation placed on the exporter to do so in the light of the requirements to protect the rights of the persons concerned arising under the GDPR. Any other interpretation would render Decision 2010/87 invalid in that the standard contractual clauses which it sets out would not permit the transfer to be accompanied by ‘appropriate safeguards’ as required by Article 46(1) of the GDPR, read in the light of the provisions of the Charter. (50)
133. in addition, according to clause 5(b) the importer is to certify that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the exporter and its obligations under the contract. In the event of a change in that legislation that is likely to have a substantial adverse effect on the warranties and obligations provided by the standard clauses, the importer will promptly notify that change to the exporterin which case the exporter is entitled to suspend the transfer of data and/or terminate the contract. In accordance with Clause 4(g), the exporter must forward the notification received from the importer to the competent supervisory authority if it decides to continue the transfer.
Moreover, the Supervisory authorities obligated – and not only entitled – to order the omission or cessation of the transferif the exporter does not fulfill his obligation in this respect:
146. thus, a supervisory authority must examine with all due diligence the complaint lodged by a person whose data are alleged to be transferred to a third country in breach of the standard contractual clauses applicable to the transfer. (56) Article 58(1) of the GDPR confers on the supervisory authorities, for that purpose, significant investigative powers.
147. the competent supervisory authority is also required to react appropriately to any infringements of the rights of the data subject which it has established following its investigation. In that regard, each supervisory authority has, under Article 58(2) of the GDPR, a wide range of means – the various powers to adopt corrective measures listed in that provision – of carrying out the task entrusted to it. […] Although the choice of the most effective means is a matter for the discretion of the competent supervisory authority having regard to all the circumstances of the transfer at issue, that authority is required to carry out in full the supervisory task entrusted to it. Where appropriate, it must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means, where the exporter has not itself put an end to the transfer.
However, the ECJ is not bound by the opinion of the AG.