Earlier this month, in the latest ruling to emerge from the privacy campaign initiated by activist Max Schrems, the Irish High Court cast fresh doubt on the legitimacy of so-called Standard Contractual Clauses (“SCCs”, also commonly referred to as Model Contracts) as an approved method of ensuring lawful personal data transfers from the European Economic Area (“EEA”) to the United States. In this case, Mr. Schrems, joined by the Irish Data Protection Commissioner (“DPC”), objected to Facebook Ireland Ltd. transferring personal data to its parent company in the U.S., Facebook Inc.
The Irish High Court agreed with the “well-founded” concerns of the Irish DPC that U.S. law enforcement “surveillance” programs, such as the Foreign Intelligence Surveillance Act (“FISA”) and those leaked in 2013 by Edward Snowden, jeopardize EU citizens’ privacy rights upon transfer of data to the U.S. The DPC argued that there are “both specific and general deficiencies” in the remedies available for privacy violations under U.S. law for EU citizens whose personal data is transferred to the U.S. The DPC regarded these deficiencies, among others, as violations of EU citizens’ rights under the EU Charter of Fundamental Rights.
The Irish High Court has now called on the Court of Justice of the European Union (“CJEU”) for a preliminary ruling on the validity of SCCs for such transfers. There is no immediate consequence for EEA-to-U.S. data flows under SCCs. It could take over a year for the CJEU to make its determination.
However, an adverse ruling from the CJEU on the validity of SCCs will cast into doubt the lawfulness of personal data transfers outside of the EEA that rely on SCCs as their basis for transferring such data, and could also undermine the validity of other approved means of lawful data transfer such as binding corporate rules (“BCRs”). The uncertainty created by such an outcome would also come at a time when the EU General Data Protection Regulation (“GDPR”) is being fully enforced (as from May 25, 2018).
An adverse ruling could lead to a crisis in international data flows. An overwhelming majority of EEA companies use SCCs as their basis for ensuring compliant personal data transfers not only to the US but also to other countries outside of the EEA. While the present case concerns EEA-to-U.S. data flows, a negative outcome would raise fundamental questions such as:
- Are SCCs still valid for other third countries outside of the EEA apart from the U.S., if the basis of their invalidation is primarily due to the U.S. surveillance regime and ineffectiveness of remedies under U.S. law? If so, does this provoke an examination of othernon-EEA countries’ laws?
- Are SCCs valid for transferring personal data from the EEA to the United Kingdom after Brexit, particularly given controversy surrounding the UK’s own surveillance regime?
- Can the European Commission’s past and future approvals of other methods of ensuring compliant personal data transfers be relied on?
As Ms. Justice Costello stated in her judgment: “The case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond. Firstly, it is relevant to the data protection rights of millions of residents of the European Union. Secondly, it has implications for billions of euros worth of trade between the EU and the U.S. and, potentially, the EU and other non-EU countries.”
It would therefore be prudent for companies to consider the scale of their current international personal data flows and the extent to which these would be impacted by such an outcome.