McGuireWoods London partner Matthew Hall was quoted in a Dec. 23, 2019 Compliance Week article on EU-U.S. data transfer compliance. He discussed the Court of Justice of the European Union’s advocate general’s non-binding opinion that standard contractual clauses (SCCs) covering transfer of personal data outside the EU are “valid.”
While the CJEU will likely issue its ruling in early 2020, the consensus is that the CJEU will accept the recommendation, providing assurances to companies such as Facebook, which was challenged over its data protection safeguards from its subsidiary in Ireland.
“[T]his is an extremely important finding and will be a great relief to the numerous companies which make use of SCCs so as to allow the transfer of personal data outside the [European Economic Area] to affiliates and third parties,” said Hall in the article. “The advocate general essentially agrees that SCCs, assuming proper monitoring by companies using them and ultimately by the data protection regulators in the EEA, are appropriate and legal and do suitably protect personal data which is transferred out of the EEA including to the U.S.”
The article noted that the advocate general’s non-binding opinion includes some caveats, including that “organizations’ reliance on SCCs does not necessarily guarantee compliance unless effective monitoring also takes place” by both companies and regulators.
Hall explained that a data exporter must suspend or terminate transfers when the importer cannot comply with the SCCs. If the company transferring the data fails to act, the supervisory authority must do so.