On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation.
Background
These proceedings follow on from Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020, which upheld the use of Standard Contractual Clauses (SCCs’) for data transfers to third countries. The decision clarified the obligation of the controllers and processors to evaluate their ability to comply with the SCCs in the light of local laws applicable to them before relying on the SCCs and to take supplementary measures to eliminate any risk of non-compliance.
The DPC initiated its ‘own-volition’ inquiry into the applicant organisation’s EU-U.S. data transfers and adopted the preliminary draft decision, suspending personal data flows to the US due to lack of adequate level of protection for personal data transferred to the US and failure to implement supplementary measures by the applicant organisation. The DPC allocated a period of 21-days to the applicant organisation to make submissions to the DPC measures it plans to take to make data transfers possible. The applicant organisation filed judicial review proceedings on a number of grounds. The court rejected the submission by the DPC that the PDD and its procedures were not amenable to judicial review and reviewed each of the grounds that were raised.
Notable issues considered
The court held that it was within the DPC’s powers under the Irish Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) to make a preliminary decision and procedural steps were in fact, lawful.
The court considered that on the issue, whether the DPC had an obligation to investigate before they issued its preliminary decision, it found that the DPC already had a “vast amount” of information before beginning its inquiry and taking this into account, it was fair for the DPC to begin the inquiry with the preliminary decision without a further investigation. The preliminary decision stated the DPC’s preliminary views on the EU-U.S. data transfers in question and provided an opportunity for the applicant organisation to make submissions to affect the final draft of the decision.
On the grounds of whether legitimate expectations established by the DPC’s on its procedures have been breached, the court determined that information relied upon by the applicant organisation in the DPC’s Annual Report about the DPC’s investigations was not sufficient to establish legitimate expectations. The DPC’s statements in the Annual Report were qualified and described an illustrative procedure, so was not applicable to all procedures.
On the timelines provided to an applicant for a response to the inquiry on the EU-U.S. transfers, the court found that the 21-days granted to the applicant organisation to make submissions against the findings in the preliminary decision was adequate due to the DPC’s obligation to act expeditiously in the exercise of its powers and “within reasonable time”.
The failure to await guidance from the European Data Protection Board (EDPB) before issuing a preliminary decision on EU-U.S. data transfers was also discussed. The CJEU already clarified the obligations of the controllers concerning the use of the SCCs. The High Court found that the DPC did not have to wait for the EDPB’s recommendations or guidance before exercising its powers and undertaking an inquiry.
The stay on the DPC’s investigation will now be lifted and the DPC will be able to go ahead with its inquiry. Once it finalises its decision, the DPC has an obligation to send its decision for review by other EU supervisory authorities concerned to take into account their views.
Next steps and concluding thoughts
Post-Schrems II controllers and processors need to evaluate their transfers to third countries and only rely on the SCCs if they can abide by the terms of the SCCs and implement supplementary measures, where necessary, to reduce the risk of non-compliance. Supervisory authorities can initiate own inquiries into organisations’ transfers. They have a wide discretion on how to carry out their inquiry provided they are in line with their GDPR obligations and follow a fair procedure.
Whilst organisations may be waiting for the EDPB guidelines on supplemental measures, which we expect will come out in the next few weeks, this does not remove their obligation to ensure their transfers are compliant. The supervisory authorities can take charge and have powers to suspend or prohibit a transfer of data to a third country where the data transferred is not protected and the controller has not itself suspended or stopped the transfer.