On October 3, 2017, the Irish High Court announced that it will make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the validity of the Standard Contractual Clauses, which allow companies in the European Economic Area (EEA) to transfer personal data outside of the EEA. In doing so, the Irish High Court acknowledged that, “there are well founded grounds for believing that the [Standard Contractual Clauses] are invalid,” but clarified that this was a question of EU law for the CJEU to decide.
What happened in the case?
Maximillian Schrems (an Austrian privacy campaigner who, in 2015, led a case that struck down the EU-US Privacy Shield’s forerunner, Safe Harbor) has a Facebook account. Schrems complained to the Irish Data Protection Commissioner (DPC) that Facebook Ireland Limited (Facebook Ireland) transferred his data to its US-parent, Facebook Inc. (Facebook US) for further processing.
In order to transfer personal data to a third country outside of the EEA, that third country (in this case, the US) should offer guarantees ensuring an adequate level of protection for personal data essentially equivalent to the level of protection ensured within the EEA. The European Commission (EC) has not considered the US to provide this adequate level of protection for personal data, so companies that wish to transfer data must rely on other data transfer mechanisms, including the Standard Contractual Clauses.
Schrems argued that the US legal regime — particularly its surveillance activities — does not protect his personal data to the extent required by EU law. Schrems argued that, as an EU citizen, he has the right to respect for his private life, home, and communications (Article 7 of the Charter of Fundamental Rights of the European Union (Charter)), the protection of his personal data (Article 8 Charter), and the right to an effective remedy before a tribunal to guarantee his rights (Article 47 Charter).
Facebook Ireland argued that the company’s transfers to Facebook US were pursuant to the Standard Contractual Clauses, which were expressly approved by the EC.
The DPC examined Schrems’ complaint and concluded that it raised “well-founded arguments,” insofar as there are deficiencies in the remedial mechanisms under US law for EU citizens whose data is transferred to the US. In essence, the DPC saw reasons for a “well-founded” objection that “there is an absence of an effective remedy in US law compatible with the requirements of Article 47 [Charter] for an EU citizen whose data is transferred to the US where it may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 [Charter].” The DPC found that the Standard Contractual Clauses and their underlying decisions do not deal sufficiently with this concern and make no provision for a right in favour of a data subject to access an effective remedy in the event of interference by a US public authority on national security grounds or otherwise.
On this basis, the DPC brought a case to the Irish High Court, asking for a reference to the CJEU for a preliminary ruling on the validity of the Standard Contractual Clauses. On considering the arguments, the Irish High Court rejected the argument that the Article 4 mechanism in the Standard Contractual Clauses – which enables a data protection authority to ban or suspend data transfers to third countries – satisfies the requirements of Article 47 of the Charter. While the Irish High Court recognized that the Privacy Shield Ombudsperson mechanism is available to EEA data subjects whose personal data is transferred under the Standard Contractual Clauses, it rejected the argument that this is sufficient to satisfy the requirements of Article 47 of the Charter. The Irish High Court therefore held that it agreed with the DPC and that a reference for a preliminary ruling should be made to the CJEU.
Notably, the Irish High Court judgment goes to great lengths to emphasize that the judgment is limited to the validity of the Standard Contractual Clauses — the case does not concern national security (as Facebook Ireland argued), mass surveillance, or balancing freedoms in a democratic society.
Why does this matter?
There are three main mechanisms that businesses can use for exporting personal data outside of the EEA:
- Standard Contractual Clauses: For all transfers outside the EEA
- EU-US Privacy Shield: For transfers to certain US companies under the jurisdiction of the FTC
- Binding Corporate Rules: For intragroup transfers only
Standard Contractual Clauses are one of the most commonly used mechanisms to transfer personal data outside of the EEA. If the CJEU strikes down the Standard Contractual Clauses, companies will have to change their data transfer compliance strategies. Further complications might arise from another case, in which Digital Rights Ireland sued the European Commission in 2016 over the Privacy Shield (T-670/16). This case might be inadmissible, but it is still pending. Furthermore, one cannot exclude that the CJEU will use this Schrems case as an opportunity to look into the Privacy Shield as well. Given that data transfer compliance strategies can usually not be changed overnight, companies will have to consider potential consequences long before the potential judgments.
What happens next?
The Irish High Court will list the matter for submissions in which the parties involved can comment on the questions to be sent to the CJEU. The Irish High Court will then determine the questions and refer them to the CJEU for a preliminary ruling. All three sets of the Standard Contractual Clauses are based on different decisions of the EC, and these decisions remain valid during the CJEU procedure. If the Irish High Court submits the questions to the CJEU before the end of this year, a judgment in 2019 would be possible (for comparison, in the Schrems case, the CJEU judgement came 16 months after it received the questions from the Irish High Court).
You can read the full judgment of the case here.