On May 25, the Irish data protection authority (DPA), the Data Protection Commissioner, announced its intention to seek declaratory relief in the Irish High Court as well as referral to the European Court of Justice (ECJ) to determine the legal status of data transfers under Standard Contractual Clauses (SCCs). This statement from the Data Protection Commissioner comes in the wake of Maximilian Schrems’ complaint regarding the transfer into the U.S. of his personal data and the decision by the ECJ in the Schrems case invalidating the Safe Harbor on data transfers.
SCCs: The Most Convenient Tool Since the Invalidation of the Safe Harbor
In the Schrems case,1 the ECJ invalidated the Safe Harbor on the ground that the level of data protection within the United States is not “essentially equivalent” to that in force in the European Union. The ECJ criticized, first, the fact that American authorities (e.g., the NSA) had access to personal data with neither clear and precise limitations nor appropriate safeguards. Second, the court criticized the lack of judicial remedies available to EU citizens that would allow them to challenge potentially unlawful interference by American authorities.
The Schrems ruling has unsettled existing practice. Pending the adoption of the Privacy Shield, which will replace the Safe Harbor, legal uncertainty will endure. However, DPAs under the auspices of the WP29, a gathering of 28 European DPAs, have acknowledged SCCs as an alternative tool to the Safe Harbor that can enable U.S.-EU data transfers. To that end, SCCs have, following Schrems, become the easiest, fastest and most commonly used means of data transfer between the EU and other countries.
SCCs are model clauses adopted by the European Commission that set obligations for the data importer and rights for data subjects. Under one of the three different sets of clauses adopted by the commission (decision 2001/497/EC of June 15, 2001, decision 2004/915/EC of Dec. 24, 2004 and decision 2010/87/EU of Feb. 5, 2010), data controllers simply need to file for an authorization on the internet to facilitate data transfers under one of the model clauses.
The Likelihood of the Referral of the Preliminary Ruling to the ECJ
If the preliminary reference from the Irish Data Protection Commissioner is actually transmitted to the ECJ, the court will have to analyze whether the terms of the SCCs ensure an adequate level of protection in light of the principles established in the Schrems case. It is most likely that the ECJ will be asked to review the SCCs while taking into account American laws and practices, especially in the field of national security.
The Irish Data Protection Commissioner’s initiative is in line with the scheme described by the ECJ in the Schrems case. Based on the court’s reasoning, the existence of a European Commission decision enabling data transfers to a third country does not prevent DPAs from examining whether the SCCs provide an adequate level of protection. In case of doubts on the legality of data transfers, DPAs must be able to request review by national courts so that a preliminary reference can be transmitted to the ECJ, the only judicial body with the authority to invalidate the European Commission’s decisions.
According to Article 267 of the Treaty on the Functioning of the European Union (TFEU) and ECJ case law, national courts may refer questions on the validity of an EU act only where they consider the claim of invalidity prima facie well-founded. Given the doubts expressed by the WP29 on the validity of SCCs, it is probable that the Irish High Court will transmit the reference to the ECJ.
The Broader Implications of the Question Raised by the Irish Data Protection Commissioner Regarding the SCCs
SCCs have a wider scope than the Safe Harbor did, and any preliminary reference may have an even bigger impact than the Schrems case. While the Safe Harbor and Privacy Shield concern only transatlantic transfers, SCCs are a tool for all data transfers to all third countries (outside the EU) and not exclusively to the U.S.
It would seem likely that the question to be referred to the ECJ will specifically concern data transfers to the U.S. via SCCs, thus narrowing the question to the validity of SCCs in light of American surveillance laws and practices.
Nevertheless, the future ruling will, at least theoretically, reach beyond transatlantic transfers. Indeed, in the event of the invalidation of Commission decisions on SCCs, all data transfers with countries that do not benefit from an adequacy decision may be impacted.2 In any case, a ruling forbidding data transfers to the U.S. on the basis of SCCs will weaken SCCs more broadly and open the door to similar referrals concerning other countries.
Moreover, a preliminary ruling on the SCCs could seriously impact EU trade policy, especially at a time when the EU is concluding and negotiating a number of bilateral free trade agreements, not only the Transatlantic Trade and Investment Partnership but also agreements with Japan, Singapore and Vietnam. Indeed, narrowing the legal tools available for firms to transfer data to countries where their trade partners are established will undoubtedly hamper trade.