Oct 112017

Schrems Judgment in the Irish Commercial Court Raises Concerns over the “Model Contracts” for Transfer of Personal Data Out of Europe

William RM Long and Thomas Fearon
, , , , ,

An Irish High Court ruling may have a significant impact on one of the main mechanisms that global companies use to transfer personal data out of the European Economic Area (“EEA”).  The Irish High Court ruled on 3 October 2017 that the Standard Contractual Clauses (“SCCs”) used by companies to transfer data from the EEA to US, also frequently referred to as “Model Contracts,” must be the subject of review by the Court of Justice of the European Union.

The SCCs are one of various data protection mechanisms approved by the European Commission. They are used to ensure safeguards are in place for the protection of personal data being transferred from within the EEA, to countries outside the EEA that do not provide adequate standards of data protection.

Justice Caroline Costello of the Commercial Division of the Irish High Court, stated that the Irish Data Protection Commissioner (DPC) presented “well founded” concerns that SCCs may be found to violate the European Charter of Fundamental Rights, and will refer certain questions to the CJEU.

The complaint was initially brought to the DPC by Max Schrems, an Austrian activist and privacy lawyer, in relation to Facebook’s transfer of data to the US. Mr Schrems has brought data privacy complaints against Facebook in the past, including the CJEU case that resulted in invalidation of the EU-US Safe Harbour mechanism.

In this case, the matter considered by the Irish High Court was the scope of protection given to EU citizens’ data on its transferal to the US. Mr Schrems’ concern was with the transfer of EU citizens’ data to the US under Facebook’s operations, and whether adequate remedies would be provided for governmental access to data within the US. Mr Schrems argued that the SCCs do not provide rights of redress.

In bringing the case before the Irish High Court, the Irish DPC raised concerns that went beyond the initial complaint by Mr Schrems regarding redress under the SCCs to the validity of decisions by the European Commission to approve SCCs. Justice Costello mirrored the DPC’s focus by stating that the main matter for consideration was the validity of those European Commission decisions, and that this can only be resolved by a decision of the CJEU.

The case must now be heard by the CJEU, and Justice Costello has asked the parties to the case to propose questions for referral to the CJEU.  It is likely that the CJEU’s ruling will not be issued until at least a year after the date of the referral from the Irish High Court.

The consequences of any decision by the CJEU could be far-reaching. The number of companies relying on SCCs increased significantly in the wake of the first Schrems ruling invalidating the Safe Harbour. If the SCCs are now found to be invalid, a very large number of businesses that transfer personal data to outside of the EEA could be affected, including transfers by EU companies to numerous countries around the world other than the United States.  If the clauses are held to be invalid, that may lead to further scrutiny of alternative grounds for transfers, although transfers of personal data could likely continue under the US-EU Privacy Shield, Binding Corporate Rules, and the other bases allowed in the EU laws.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.