The CJEU's advocate general backed Max Schrems' argument in a case focusing on whether Facebook's Dublin-based subsidiary can legally transfer users' personal data to the U.S. parent company.
GDPR provides that personal data may be transferred to a third country if that country ensures an adequate level of protection of the data. According to the opinion of Advocate General Saugmandsgaard ?e in CJEU case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, in case of absence of a decision of the Commission finding that the level of protection ensured in the third country is adequate, the data controller may proceed with the transfer of data if it is accompanied by appropriate safeguards. One form of such safeguards is a contract between the exporter and importer of the data containing standard protection clauses. By Decision 2010/87/EU, the Commission established standard contractual clauses for the transfer of personal data to processors established in third countries. In the opinion of the Advocate General ?e the decision 2010/87/EU establishing standard contractual clauses is valid and provides a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
In the opinion, Advocate General ?e stated that EU law applies to transfers of personal data to a third country where those transfers form part of a commercial activity, even though the transferred data might undergo processing, by the public authorities of that third country, for the purposes of national security.