An Irish High Court ruling may have a significant impact on one of the main mechanisms that global companies use to transfer personal data out of the European Economic Area (“EEA”). The Irish High Court ruled on 3 October 2017 that the Standard Contractual Clauses (“SCCs”) used by companies to transfer data from the EEA to US, also frequently referred to as “Model Contracts,” must be the subject of review by the Court of Justice of the European Union.
The SCCs are one of various data protection mechanisms approved by the European Commission. They are used to ensure safeguards are in place for the protection of personal data being transferred from within the EEA, to countries outside the EEA that do not provide adequate standards of data protection.
Justice Caroline Costello of the Commercial Division of the Irish High Court, stated that the Irish Data Protection Commissioner (DPC) presented “well founded” concerns that SCCs may be found to violate the European Charter of Fundamental Rights, and will refer certain questions to the CJEU.
The complaint was initially brought to the DPC by Max Schrems, an Austrian activist and privacy lawyer, in relation to Facebook’s transfer of data to the US. Mr Schrems has brought data privacy complaints against Facebook in the past, including the CJEU case that resulted in invalidation of the EU-US Safe Harbour mechanism.
In this case, the matter considered by the Irish High Court was the scope of protection given to EU citizens’ data on its transferal to the US. Mr Schrems’ concern was with the transfer of EU citizens’ data to the US under Facebook’s operations, and whether adequate remedies would be provided for governmental access to data within the US. Mr Schrems argued that the SCCs do not provide rights of redress.
In bringing the case before the Irish High Court, the Irish DPC raised concerns that went beyond the initial complaint by Mr Schrems regarding redress under the SCCs to the validity of decisions by the European Commission to approve SCCs. Justice Costello mirrored the DPC’s focus by stating that the main matter for consideration was the validity of those European Commission decisions, and that this can only be resolved by a decision of the CJEU.
The case must now be heard by the CJEU, and Justice Costello has asked the parties to the case to propose questions for referral to the CJEU. It is likely that the CJEU’s ruling will not be issued until at least a year after the date of the referral from the Irish High Court.
The consequences of any decision by the CJEU could be far-reaching. The number of companies relying on SCCs increased significantly in the wake of the first Schrems ruling invalidating the Safe Harbour. If the SCCs are now found to be invalid, a very large number of businesses that transfer personal data to outside of the EEA could be affected, including transfers by EU companies to numerous countries around the world other than the United States. If the clauses are held to be invalid, that may lead to further scrutiny of alternative grounds for transfers, although transfers of personal data could likely continue under the US-EU Privacy Shield, Binding Corporate Rules, and the other bases allowed in the EU laws.