Data Transfer Mechanisms to be Reviewed by CJEU After Irish Supreme Court Dismisses Facebook Appeal

By Natalie Farmer & Sienna Smallman on June 12, 2019

On 31 May 2019, the Supreme Court of Ireland dismissed Facebook’s appeal of the Irish High Court decision to refer questions regarding, among other things, the adequacy of the EU-U.S. Privacy Shield and the European Commission’s Standard Contractual Clauses to the Court of Justice of the EU (the “CJEU”). The CJEU will hear the case (C-311/18) on 9 July 2019.

Background

Under the General Data Protection Regulation 2016/679 (the “GDPR”), and the Data Protection Directive before that, transfers of personal data outside of the European Economic Area (“EEA”) are permitted only where the recipient country has been deemed adequate by the European Commission, where the transfer is made subject to “appropriate safeguards”, or where a specific “derogation” can be relied on.^[1] As the European Commission has not found that the U.S. is an “adequate” country from a data protection perspective,^[2] regular transfers of personal data from the EEA to the U.S. are generally made in reliance on appropriate safeguards, the most commonly relied upon being the European Commission’s Standard Contractual Clauses (the “SCCs”). Additionally, transfers can be made to U.S. organisations that have self-certified under the EU-U.S. Privacy Shield (the “Privacy Shield”).

In 2013, data privacy lawyer and activist Max Schrems (“Schrems”) made a complaint to the Irish Data Protection Commissioner, which eventually resulted in a reference being made by the Irish High Court to the CJEU.^[3] Schrems’s complaint focused on the adequacy of the EU-U.S. Safe Harbor, the Privacy Shield’s predecessor. In particular, the CJEU were asked to consider whether the Safe Harbor provided adequate protection for EU persons’ personal data transferred to the U.S., in light of the wide derogations from its principles permitted for national security, among other things. The CJEU found that adequate protection was not afforded by the Safe Harbor and invalidated the European Commission’s decision.^[4]

This latest case follows on from the original complaint brought by Schrems to the Irish Data Protection Commissioner, this time examining the alternative methods for data transfers relied on by Facebook following the invalidation of the Safe Harbor. The Irish High Court’s reference to the CJEU includes eleven questions which test the ability of the SCCs and Privacy Shield to protect the fundamental rights of EU data subjects when their information is transferred to the U.S.

Facebook’s appeal

Facebook’s appeal to the Irish Supreme Court was intended to stop the referral to the CJEU, so that the adequacy of the Privacy Shield and SCCs could not be scrutinised by the European Union’s highest court.

The Irish Supreme Court determined that while it can review a decision of the High Court in order to establish whether there should be any overturning of the facts relied upon where such facts are not sustainable in accordance with Irish jurisprudence, the Supreme Court cannot entertain an appeal over the actual referral decision itself. It is for the referring court, and that court alone, to decide whether to make a reference (and whether to withdraw or amend that referral in light of any of the Supreme Court’s findings).

What’s next?

In light of the dismissal of the appeal by the Irish Supreme Court, the CJEU will have the opportunity to answer the questions referred to it. Once the CJEU has provided its decision, the Irish Data Protection Commission will make a final determination in respect of the original complaint (which could of course be subject to appeal by either Facebook or Schrems).

It is possible that the CJEU could find that the SCCs or the Privacy Shield are invalid, making this a critical case for thousands of companies reliant on these mechanisms to make data transfers from the EU to the U.S. each day. It is not known how long the CJEU will take to deliver its judgement; it took the court over a year to deliver its decision in relation to the invalidation of the Safe Harbor. Furthermore, the French privacy advocacy group La Quadrature du Net led a collective challenge to the Privacy Shield in 2016 which has still not been decided (Case T-738/16, “La Quadrature du Net”). In support of annulling the Privacy Shield decision, La Quadrature du Net identifies the continued possibility of mass surveillance as well as the absence of an effective remedy for dealing with complaints as being contrary to the Charter of Fundamental Rights of the EU (including the fundamental right to respect for privacy).

For now, we will have to wait and see whether these cases will cause serious disruption for EEA to U.S. data flows, or, alternatively, whether the European Commission can provide an alternative, in the meantime.

[1] The rules governing the transfer of personal data out of the EEA are set out in Chapter 5 of the GDPR.

[2] To date, the European Commission has found the following countries to be adequate: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.

[3] Case C-362/14 Maximillian Schrems v Data Protection Commissioner, 6 October 2015. Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the U.S. Department of Commerce (the “Safe Harbor adequacy decision”).

[4] For more information, please see our Alert Memo on this topic: https://www.clearygottlieb.com/-/media/organize-archive/cgsh/files/publication-pdfs/cjeu-invalidates-safe-harbor-impact-on-transatlantic-data-transfers.pdf

Menu

Cleary Cybersecurity and Privacy Watch