If the EDPB's recommendations are at odds with the European Commission's new Standard contractual clauses, which prevail?
Following the Schrems II decision of the Court of Justice of the European Union ("CJEU") last summer (see the blog here and webinar here), the European Data Protection Board ("EDPB") published draft recommendations aimed at assisting exporters with the onerous task of assessing third countries and identifying appropriate supplementary measures for data transfers. The same week, the European Commission published its new draft standard contractual clauses for consultation. These had been long anticipated, given that the previous standard contractual clauses ("SCCs") had been adopted under the GDPR's predecessor legislation, Directive 95/46/EC.
The EDPB's draft recommendations and the European Commission's new draft SCCs take opposing views on the issue of whether previous requests from public authorities for access to data are a relevant consideration when assessing risk. The draft SCCs suggest that the existence or absence of previous requests is a relevant factor (see draft clause 2(b)(i) on local laws affecting compliance with the clauses at page 13 and recital 20 of the draft decision). The EDPB's draft recommendations suggest that the likelihood of public authorities requesting access to the data is not a relevant factor (see paragraph 42).
This contradiction is clearly unsatisfactory and confusing from a compliance perspective. Given that both the recommendations and the SCCs are currently in draft, one would hope that this contradiction would be ironed out before both are finalised. The EDPB is required to give its opinion on the SCCs before they are adopted, so this may be an opportunity to come to a common position. But if the contradiction remains, which prevails – the final recommendation or the adopted SCCs?
The legal principles
The short answer is that regulatory guidance cannot trump legislation. If the contradiction remains, the legislation (ie the SCCs) will prevail. That is because the SCCs are part of a Commission Decision – an implementing act made under the GDPR (see Article 291(2) of the Treaty on the Functioning of the European Union). Recommendations, such as the EDPB's recommendations on the implementation of the Schrems II judgment are not legally binding. This means that the legislation will prevail in the event of a contradiction between the two, and the position as set out in the legislation will be binding on individuals and the regulators.
What does this mean in practice?
A Data Protection Authority ("DPA") which took action which was inconsistent with the requirements set out in the SCCs could be challenged in a national court. For example, if a regulator suspended transfers on the basis that the exporter had wrongly assessed the risk relating to the transfer because it had taken the lack of previous requests from public authorities into account, a case could be taken before a national court. The complainant might allege that the decision to suspend transfers contrary to the SCCs was unlawful and should be quashed. The national court could refer the matter to the CJEU, but this would not be necessary where the legal position was clear. The national court would give precedence to the legislation rather than the guidance and would be able to quash the DPA's decision to suspend the transfer of data on the basis that it was inconsistent with the SCCs.
If the DPA thought that the new SCCs were somehow invalid then that is a matter which would have to go before the Court of Justice of the European Union ("CJEU"). Only the CJEU has the power to declare an EU instrument (such as the decision which contains the SCCs) invalid - see the case of Foto-Frost v Hauptzollamt Lübeck-Ost. The DPAs would not be able to treat the SCCs as invalid unless the CJEU had declared that they were invalid. The DPAs would not be able to unilaterally suspend transfers made in reliance on them on the basis of any supposed invalidity.
This is only a theoretical problem at the moment, given that both instruments have only been published in draft. Although the position in law is clear it would be preferable for the recommendations and the SCCs to compliment, rather than contradict one another. Implementing the Schrems II judgment is already a significant compliance challenge. Clear and pragmatic guidance would be welcomed by controllers and processors from across the EU and beyond its borders.
 In reality the decision that the transfers should be suspended would probably be made on a number of different grounds. This example has been simplified to illustrate the point.
Sign up to our email digest