Executive summary: The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk. A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down. Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.
Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission. The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs. But the answer is probably “an awful lot of companies.” Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.
The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid. The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents. In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law.
The irony of this line of argument is that the European Union’s foundational treaties carve national security out of the remit of the EU and reserve national security legislation to the Member States. However, there are CJEU decisions that assert the EU’s legal reach into areas that, on their face, would appear to be reserved to the Member States, and the Irish High Court relies in part on those decisions (particularly the December 2016 case Tele 2 Sverige AB v. Post-och telestyrelsen and Secretary of State for the Home Department v. Tom Watson & Ors (joined cases C-203/15 and C-698/15)) to conclude that EU rights still apply in the context of national security.
Readers who are familiar with the EU’s Data Protection Directive might well be asking themselves at this point, what do the laws of the US have to do with the SCCs? The SCCs were designed as a contractual way of protecting EEA personal data when the recipient country’s laws weren’t adequate in themselves. This could well turn out to be a pivotal question in the CJEU’s ultimate decision. One of the key steps in the legal reasoning of the Irish High Court’s decision is that if national laws undermine the robustness of the SCCs’ protections for EEA data subjects, the EEA’s data protection authorities are still obliged to assess whether the EEA data subjects’ rights are adequately protected. The Court wrote:
. . . . Despite the provisions of the SCCs, nonetheless data transferred pursuant to the SCCs to third countries may not enjoy the adequate level of protection mandated by reason of the laws of the individual third country.
It seems to me that the provisions of the law in a particular third country may be the basis for suspending or prohibiting a data transfer or transfers pursuant to an SCC decision. It follows therefore that the provisions of the law of that third country may provide the basis for concluding that data transfers effected pursuant to SCCs under Article 26 (2) do not provide adequate safeguards for the personal data of data subjects.
. . . . . It is clear that data exporters cannot rely solely upon the SCCs as complying with the requirements of the Directive regardless of the legal regime in the third country to which the data is exported. DPAs have an obligation to ensure that the data still receives a high level of protection and they are expressly granted powers to suspend or prohibit data transfers if the laws of the third country undermine that mandatory high level of protection. (paras. 150-152; emphasis added)
The Irish High Court clearly has taken a skeptical view of the privacy protections offered by US laws in the context of national security. If the CJEU adopts the legal reasoning of the Irish Court and its preliminary conclusions on the inadequacy of US privacy protections, the standard clauses may be invalidated very quickly for transfers to the US.
However, the Irish High Court’s reasoning would apply to transfers to many other countries besides the US. The nub of the question is whether EU residents have adequate remedies under foreign laws with respect to the processing of transferred personal data by foreign intelligence agencies. If the US’s safeguards and remedies are deemed to be insufficient, will China’s or Russia’s laws relating to intelligence activities and privacy fare any better? Or the laws of a great many other countries that follow the common approach of keeping secret intelligence activities . . . to state the obvious . . . secret. And what about countries that operate intelligence agencies without clearly defined statutory frameworks?
If the CJEU finds the reasoning of the Irish High Court persuasive, it will open the door to EEA data protection authorities needing to assess the national security laws and privacy protections of every country on Earth. One consequence could be the loss of the SCCs on a global basis . . . and given the few legal bases for transferring personal data outside of the EEA, the EEA may soon find it has boxed itself in. Potentially completely, since the same reasoning could be used to attack the new data transfer mechanisms, such as EU-approved privacy seals and industry-based privacy certifications. And, incidentally, the GDPR contains nothing to solve this particular problem.