On 9 July 2019 the Court of Justice of the European Union heard the reference for a preliminary ruling from the Irish High Court on questions relating to the use of standard contractual clauses (“SCCs”) in relation to transfers of personal data to the United States of America. Participants in these landmark proceedings included the Irish Data Protection Commission, Facebook, Maximilian Schrems, the Government of the United States of America, the European Commission, the European Parliament, the European Data Protection Board and certain Member States including Ireland, the UK, France, Germany and the Netherlands. The next step will be for the Advocate General to deliver his opinion, which is scheduled to take place on 12 December 2019. The Court will make its decision within a few months of the AG’s opinion being delivered.
To recap, the proceedings originally arose from a complaint made by Mr Schrems against Facebook Ireland, criticising the manner in which Facebook relied upon the SCCs to legitimise transfers of personal data on a controller-to-processor basis to the USA. Following an investigation of this complaint, the Data Protection Commissioner made a draft decision and initiated proceedings to seek a reference to the CJEU of questions relating to the validity of the controller-to-processor SCCs. The DPC’s summary of these proceedings is available here.
As a result of the wide ranging nature of the questions that were referred to the CJEU by the Irish High Court following a lengthy hearing, and the inherent discretion of the CJEU when dealing with questions referred to it under Article 267 of the TFEU, there is a broad range of potential outcomes from these proceedings. Issues that might be addressed by the CJEU include:
- The validity of the current version of the controller to processor SCCs.
- Whether laws and practices in third countries are relevant when considering whether SCCs can be relied upon to legitimise transfers of personal data to those third countries.
- The extent to which EU data protection law requirements regarding transfers of personal data to ‘third countries’ apply while personal data is ‘in transit’ between the EU and such a third country.
- What relevance the EU-US Privacy Shield decision has on transfers of personal data to the USA based on SCCs.
- The legal framework against which the ‘adequacy’ of third countries’ regimes should be assessed for the purposes of EU data protection law.
Organisations who rely on SCCs for transferring personal data outside the European Economic Area need to be prepared for the possibility of significant changes to the current regime, if the CJEU finds that the current controller-to-processor SCCs violate EU law (and/or makes other findings that have a material impact on the current transfers regime). At a minimum, all organisations should be aware of the circumstances in which they are transferring personal data outside the EEA and what mechanisms they are relying on to legitimise these transfers, so that they can address any breaking legal developments in this area quickly. Such organisations may take some comfort from the knowledge that if the Advocate General’s opinion is not due until 12 December 2019, then no such developments will arise from these proceedings until 2020.