The Irish High Court recently asked the Court of Justice of the European Union (CJEU) to rule on the validity of “standard contractual clauses” as a basis for transferring personal data out of the European Economic Area (EEA). This decision is the latest development in the prolonged dispute between Max Schrems and Facebook.
What are “standard contractual clauses”?
The EU Data Protection Directive restricts the circumstances in which personal data can be transferred out of the EEA (as will the incoming General Data Protection Regulation). Unless certain exceptions apply, in order to transfer personal data out of the EEA either (a) the country to which the personal data is exported must ensure an “adequate level of protection”, or (b) the data controller must put in place “adequate safeguards”.
The European Commission has approved standard contractual clauses (“Standard Clauses”) that can be put in place in order to provide such “adequate safeguards”. Standard Clauses are a popular mechanism for legitimising the transfer of personal data out of the EEA to countries, such as the USA, that are not on the European Commission’s “white list” of countries whose laws ensure an adequate level of protection.
History of the dispute between Max Schrems and Facebook
In June 2013, Max Schrems, an Austrian Facebook user, originally complained to the Irish Data Protection Commissioner (DPC) about Facebook’s transfers of his personal data. His complaint was prompted by Edward Snowden’s revelations concerning the US Intelligence Service’s access to, and mass surveillance of, data held by several US Internet giants, including Facebook. In light of these revelations, Schrems alleged that Facebook’s transfer of his personal data to the US was unlawful.
The central issue at first was the validity of the EU/US Safe Harbor regime (another regime sanctioned by the European Commission as providing “adequate safeguards” and then used by Facebook). The proceedings reached the CJEU and, in 2015, the CJEU ruled that the Safe Harbor scheme was invalid.
The decision forced many companies, including Facebook, to switch to relying on Standard Clauses for their EU/US transfers of personal data.
The case in the Irish High Court
After the CJEU’s ruling with respect to Safe Harbor, the DPC began its investigation into the lawfulness of Facebook’s transfer activities pursuant to Mr Schrems’s initial complaints about the handling of his data. However, as Facebook now uses Standard Clauses, these became the focus of the investigation. The DPC therefore applied to the Irish court to request a further ruling from the CJEU on the validity of Standard Clauses.
In his decision, the Irish judge shared the DPC’s reservations about Standard Clauses and their compatibility with the European Charter of Fundamental Rights. A key concern was that if an EU citizen’s data were to be unlawfully processed by a US Government Agency, the EU citizen may not have access to an effective remedy (as required by the European Charter of Fundamental Rights). The judge considered it important that Standard Clauses are contractual and therefore do not bind US Government Agencies, that EU citizens would not necessarily be notified of any surveillance or interception of their data, and that EU citizens may not have standing to seek an appropriate remedy in US courts.
In light of these concerns, the Irish High Court decided to refer the question of the validity of Standard Clauses to the CJEU.
A ruling by the CJEU is unlikely to be published for at least 18 months, so there is little cause for immediate concern. The Irish High Court has not declared Standard Clauses invalid – the power to do so rests only with the CJEU. Nevertheless, businesses that transfer personal data outside of the EEA should be mindful that they may, in the future, not be able to rely on Standard Clauses as a valid basis to transfer personal data outside the EEA.
Frustratingly, there are no obvious alternative approaches. However, as a decision from the CJEU draws closer, businesses should consider other bases for transferring data outside the EEA such as consent, in certain limited circumstances, from data subjects, implementing binding corporate rules or (for transfers to the US) relying on the EU-US Privacy Shield.