The Irish High Court delivered a key judgment regarding the transfer of personal data outside the European Economic Area on 3 October 2017. In the case commonly referred to as the ‘Model Clauses Case’ or ‘Schrems II’ (Data Protection Commissioner v Facebook Ireland & Maximillian Schrems), Ms Justice Costello ruled that questions relating to the validity of the European Commission decisions regarding the standard contractual clauses should be referred to the Court of Justice of the European Union for a preliminary ruling. The specific details of the questions to be referred to the CJEU have yet to be determined and the parties to the proceedings will be afforded an opportunity to make submissions on these points.
The questions to be referred to the CJEU will raise fundamental issues regarding the current EU legal system for legitimising transfers of personal data outside the EEA. As any organisation that engages in such international transfers will know, EU law in this area has been in a state of flux and uncertainty ever since the Safe Harbor regime was struck down by the CJEU in October 2015. The EU-US Privacy Shield, which was adopted as the successor to Safe Harbor as a mechanism for facilitating transfers of personal data to the United States, is subject to ongoing challenges. Standard Contractual Clauses, which are the most commonly relied upon method for providing for transfers outside the EEA, remain valid for now but will be in jeopardy once they come to be considered by the CJEU as a result of this referral from the Irish High Court. Binding corporate rules, which are a less commonly used mechanism for covering transfers of personal data between members of the same corporate group, may also be affected by the CJEU’s ruling regarding the Standard Contractual Clauses, once it is delivered.
Apart from the decision to refer questions to the CJEU, other notable elements of this judgment by the Irish High Court include the following:
- Ms Justice Costello held that she had jurisdiction to refer these questions to the CJEU (despite the unusual way in which they came before her) and that she had a duty to do so if she shared the ‘well founded’ concerns raised by the Data Protection Commissioner.
- The judge emphasised that the case did not involve a decision on the respective merits of the EU or US privacy law regimes, nor did she purport to criticise the laws of the US. In addition, the case was not a judicial review of the draft decision of the Data Protection Commissioner that precipitated these proceedings.
- Transfers of personal data to another country based on the Standard Contractual Clauses are not conditional upon that country being deemed by the European Commission to have ‘adequate’ data protection laws. This is a fundamental distinction between Article 25 and Article 26 of the Data Protection Directive. However, issues regarding the laws of another country may provide the basis for concluding that transfers effected pursuant to the Standard Contractual Clauses do not provide adequate safeguards for the personal data of data subjects within the meaning of Article 26. If privacy laws in the United States are considered by EU authorities to be inadequate, then according to Ms Justice Costello the Standard Contractual Clauses cannot and do not remedy or compensate for such inadequacies.
- The Irish High Court does not have jurisdiction to pronounce on the validity of the Standard Contractual Clauses decisions. However the judge concurred with the Data Protection Commissioner that there are well founded grounds for believing that these decisions are invalid and, as a result, a reference to the CJEU regarding their validity is necessary and appropriate.