On 3 October 2017, the Irish High Court held that it is up to the European Court of Justice (“ECJ”) to determine whether Standard Contractual Clauses (“SCCs”) are a valid method of transferring personal data outside of the EU in compliance with privacy law. SCCs are widely used by businesses that transfer data from the EU to the US as a means to comply with European data protection laws. They are intended to give EU citizens the same level of privacy and protection when their data is stored in the US, as when it is stored in the EU.
The case involves an Austrian lawyer, Max Schrems, who originally filed a complaint with the Irish Data Protection Commissioner (the “Commissioner”) challenging Facebook’s use of SSCs. Schrems brought the case following revelations in The Guardian that the US National Security Agency had direct access to data on European users of Facebook stored in the US, as originally transferred from the EU. Schrems argued that the Commissioner should order Facebook to suspend sending data to the US, claiming that the standard clauses were not adequate to protect privacy under EU legal standards due to a lack of safeguards against US government surveillance.
The Commissioner argued that the case should be referred to the ECJ to determine whether the Commission’s decision on standard clauses is consistent with the EU Charter of Fundamental Rights. Justice Caroline Costello agreed that there were “well-founded grounds” for challenging the European Commission decision to approve SCCs as valid data transfer channels. The Irish judge held that only the ECJ has the jurisdiction to rule on the validity of a European measure.
The case is the latest to question whether methods used by large tech firms such as Facebook, Google and Apple to transfer data outside the European Union, provide EU consumers sufficient protection from US surveillance. This case also affects other companies that store information across borders and seek to transfer it for business purposes.
Safe Harbour Scheme and Privacy Shield
Schrems also filed a complaint against Facebook that led to the downfall of the US-EU Safe Harbour scheme. The scheme previously provided a framework for approved data transfers from the EU to the US for US companies that self-certified their compliance with EU privacy principles to the US Commerce Department. The Safe Harbour scheme was replaced by the EU-US Privacy Shield in 2016, which includes stronger privacy protections. The Privacy Shield tool, which is already utilized by about 2,500 companies, could be pulled at any moment if any developments in the US put the safety of European citizens’ data at risk.
While the case targets Facebook’s data transfers, the outcome could ultimately affect thousands of companies with business or servers across the EU that use the same transfer tools to transfer data back to the US. The decision could also have implications for trade between the EU and the US, and it could impact the privacy of millions of EU residents that are involved in daily transfers such as credit card transactions or hotel bookings.
While the ECJ is unlikely to halt transatlantic data transfers in its entirety, the Irish Court has been accused of “passing the buck” and shifting responsibility to Luxembourg. This decision will be closely watched by many businesses, as it could have significant implications for their ability to transfer personal data internationally.