On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation.
These proceedings follow on from Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020, which upheld the use of Standard Contractual Clauses (SCCs’) for data transfers to third countries. The decision clarified the obligation of the controllers and processors to evaluate their ability to comply with the SCCs in the light of local laws applicable to them before relying on the SCCs and to take supplementary measures to eliminate any risk of non-compliance.
The DPC initiated its ‘own-volition’ inquiry into the applicant organisation’s EU-U.S. data transfers and adopted the preliminary draft decision, suspending personal data flows to the US due to lack of adequate level of protection for personal data transferred to the US and failure to implement supplementary measures by the applicant organisation. The DPC allocated a period of 21-days to the applicant organisation to make submissions to the DPC measures it plans to take to make data transfers possible. The applicant organisation filed judicial review proceedings on a number of grounds. The court rejected the submission by the DPC that the PDD and its procedures were not amenable to judicial review and reviewed each of the grounds that were raised. Continue Reading