On October 3, 2017, the Irish High Court referred a legal challenge to the validity of the EU Standard Contractual Clauses (“SCCs”) to the Court of Justice of the European Union (“CJEU”) for resolution. Max Schrems, who had previously successfully challenged the validity of the now defunct U.S.-EU Safe Harbor Program in the Schrems case, had brought a similar claim in relation to the SCCs, and had requested that the Irish Data Protection Commissioner (“DPC”) declare that the SCCs do not provide sufficient protection when personal data is transferred outside the EU to the US and thus are invalid. The Irish DPC declined to make such a ruling, but instead referred the case to the Irish High Court, and requested that the case be referred to the CJEU for a final decision on the validity of the SCCs.
The Irish DPC argued in the case that the SCCs do not provide sufficient protection to European citizens when their personal data is transferred outside of the EEA, and that such data may be at risk of being accessed and processed by U.S. state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter of Fundamental Rights, which provide rights to respect for private and family life and to the protection of personal data respectively. When considering the case, the Irish High Court stated that “European Union law guarantees a high level of protection to EU citizens,” and furthermore that “they are entitled to an equivalent high level of protection when their data is transferred outside the European Economic Area.” In its decision, the Irish High Court agreed with the DPC that there are “well founded concerns” about the protection of personal data transferred to the U.S. pursuant to the SCCs, and referred the case to the CJEU for a preliminary ruling on their validity.
The referral to the CJEU casts some doubt on the future validity of the SCCs, which many organizations rely on in support of transfers of personal data to the U.S. and to other countries around the world. In the event that the CJEU agrees that the SCCs do not provide adequate protection for EU data subjects, companies and other organizations that rely on them will need to implement alternative data transfer mechanisms (such as U.S.-EU Privacy Shield certification or Binding Corporate Rules) to ensure the lawfulness of their transfers of personal data outside the EEA. Although no date for the CJEU’s decision in the case has yet been set, it could take two years, or longer, for the CJEU to render its decision in the case. Until that time, the SCCs remain a valid mechanism to transfer personal data outside the EEA, including to the United States.