The Irish High Court will ask the Court of Justice of the European Union (CJEU) whether the transfer of personal data under the EU Standard Contractual Clauses (SCCs) is adequate under European law.
The High Court held that the Data Protection Commissioner had "well-founded concerns" that:
- the personal data of EU citizens transferred outside Europe may not be protected, under SCCs, from being "accessed and processed by US state agencies for national security reasons" and in a manner "incompatible" with the Charter of Fundamental Rights of the European Union (the Charter); and
- there is no equivalent or effective remedy under US law for EU citizens to assert their right to privacy and data protection under the Charter.
In making this determination, the High Court ruled that: "[European] Union law guarantees a high level of protection to EU citizens as regards the processing of their personal data within the EU. They are entitled to an equivalent high level of protection when their personal data are transferred outside the EEA [European Economic Area]."
The Court also noted that "it is extremely important that there be uniformity in the application of the [Data Protection] Directive throughout the [European] Union on this vitally important issue. This requires that there be consistency and clarity."
While the Schrems II case focused on data transfers by Facebook to the US, the decision will have wider implications for all businesses relying on SCCs for data transfers internationally.