The Irish High Court has referred the case of Data Protection Commissioner v Facebook Ireland & Maximillian Schrems to the Court of Justice of the European Union (CJEU) for a ruling on the validity of the Standard Contractual Clauses mechanism which allows transatlantic data flows between the EU and the US.
UK (and EU) law does not allow the transfer of personal data from the European Economic Area to another country unless that country provides an adequate level of protection for that data. To date very few countries have secured a finding from the European Commission that they provide an adequate level of protection. Organisations wishing to transfer personal data to countries without a finding of adequacy, such as to the US, need to make use of one of the other mechanisms available to legitimise these transfers.
The Standard Contractual Clauses (SCCs) are one such mechanism and have been commonly adopted by organisations who need to transfer personal data outside of the European Economic Area. They were adopted following a series of decisions by the European Commission and are perhaps the most straightforward and readily available method of ensuring an adequate level of protection for data transfers out of the EEA.
For transfers of data to the US it was also previously possible to make use of the Safe Harbor regime. This was however declared invalid in 2015 by the CJEU following a similar reference from the Irish High Court arising out of the first Schrems case . This led the US Department of Commerce, the European Commission and the Swiss Administration to develop Privacy Shield, a mechanism to provide adequate levels of data protection for the transfer of data.
In June 2013, Max Schrems lodged a complaint to the Irish Data Protection Commissioner (DPC) concerning the issue of the protection afforded to EU nationals when their personal data is transferred by Facebook Ireland to Facebook USA. At the time this transfer was permitted by the Safe Harbor arrangement. Central to Mr Schrems’ case was his claim that the US did not have adequate protection in place to safeguard his personal data from the surveillance of US public authorities.
The DPC in the first instance refused to investigate matters referring to it as “frivolous” and concluded that Safe Harbor ensured adequate protection. However, Mr Schrems challenged the DPC’s decision by pursuing an action before the Irish High Court which in turn referred the case to the CJEU. In October 2015, the CJEU ruled that the Safe Harbour arrangement was invalid as well as ordering the DPC to investigate Mr Schrems’ complaint.
On reopening Mr Screms’ complaint, the DPC formed the view that it could not conclude it without a further ruling from the CJEU. It therefore brought further proceedings before the Irish High Court seeking a further reference to the CJEU for a ruling on the validity of the SCCs. Joined as Defendants to these proceedings were Facebook Ireland Ltd and Mr Schrems. A number of other parties also participated in the proceedings as amici curiae, including the United States of America and a number of the world’s largest technology companies were also represented.
On 3 October 2017, the Irish High Court gave its judgment finding that the DPC had raised “well-founded concerns” as to the validity of the SCCs and referred the matter to the CJEU for a preliminary ruling.
The actual questions that the Irish High Court will put to the CJEU are yet to be determined and these will be finalised once the various parties have had an opportunity to consider the Court’s judgment and to make submissions. It is however clear that those questions will ask the CJEU to decide on the validity of the SCCs. They are also likely to impact on the validity of the Privacy Shield regime. A decision from the CJEU is however likely to be sometime away.
This is clearly a very unsatisfactory state of affairs for any organisations looking to transfer data outside of Europe as this reference to the CJEU places considerable doubt on the SCCs and possibly also Privacy Shield. It may lead organisations and sector specific bodies to develop other methods to legitimise flows of data out of the EEA. One such option may be approved certification mechanisms which are specifically allowed under the forthcoming General Data Protection Regulation (GDPR) regime but that is largely uncharted territory at this time.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.