In a significant decision regarding the manner in which personal data is transferred outside the EEA, Ms. Justice Caroline Costello in the Irish High Court yesterday, decided to refer the question of the validity of standard contractual clauses (SCCs), which are a mechanism allowing the transfer of personal data from the EU to the U.S. used by many data controllers and processors, to the Court of Justice of the European Union (CJEU) for a preliminary ruling under Article 267 of The Treaty on the Functioning of the European Union.
The decision acceded to a request from the Irish Data Protection Commissioner (DPC), Ms. Helen Dixon, to do so.
The case arose after Mr. Max Schrems, an Austrian lawyer and privacy advocate, complained about the transfer of his personal data by Facebook Ireland to its U.S. parent, Facebook Inc. Mr. Schrems' concerns arose from the disclosures regarding the U.S. National Security Agency's practices and the level of protection afforded to data transferred to the U.S. from the EU. The transfers by Facebook Ireland to Facebook Inc. had been carried out under the Safe Harbour regime, which had been established by way of an EU Commission decision in 2000, which deemed the U.S. to have an adequate level of data protection where the Safe Harbour regime was adhered to by the parties involved. That initial complaint led to the Irish High Court referring certain issues to the CJEU and the CJEU striking down the Safe Harbour arrangement for data transfers between the EU and the U.S. Since that decision, the EU Commission adopted on 12 July 2016 its decision on the EU-U.S. Privacy Shield in response. This new framework seeks to protect the fundamental rights of any person in the EU whose personal data is transferred to the U.S. as well as bring legal clarity for businesses relying on transatlantic data transfers. The Privacy Shield framework is subject to an ongoing review and challenge.
Following the CJEU's decision on Safe Harbour, Mr. Schrems reformulated his complaint to take account of the fact that Safe Harbour had been struck down. His reformulated complaint was then investigated by the Irish DPC. The DPC's investigation found that Facebook Ireland continued to transfer personal data to its U.S. Parent, Facebook Inc., in reliance in large part on the use of SCCs. This raises significant questions for the mode and manner of data transfers between the EU and the U.S., and beyond. One of the most significant questions is whether the exceptional discretionary power conferred on the DPC (and other Member State's Data Protection Commissions), under the relevant directive, to suspend or ban the transfer of data to a third country on the basis of a finding that the legal regime in that third country is sufficient to secure the validity of the SCC regime.
Mr. Schrems' concerns centre on the absence of an effective remedy in U.S. law compatible with the requirements of Article 47 of the Charter of Fundamental Rights of the European Union (the "Charter") for an EU Citizen whose data is transferred to the U.S. and may be subject to be accessed and processed by U.S. state agencies in a manner incompatible with Articles 7 (the right to respect for private and family life, home and communications) and Article 8 (right to protection of personal data).
Mr. Schrems had opposed a referral to the CJEU, arguing the Commissioner had enough information to finalise his complaint without it. Facebook also opposed the referral. Facebook and the U.S. Government, as an amicus curiae, argued U.S. law and other measures afford adequate protections for data privacy rights of EU citizens.
The DPC had sought the referral in circumstances where she had formed the view that Mr. Schrems' concerns appeared to be well founded. Ms. Justice Costello said that the Irish Data Protection Commissioner "has raised well-founded concerns that there is an absence of an effective remedy in U.S. law compatible with the requirements of Article 47 of the Charter (of Fundamental Rights)." She also said that the newly introduced Privacy Shield Ombudsperson mechanism in the Privacy Shield for dealing with Europeans' complaints about U.S. surveillance did not eliminate those concerns.
While the decision will delay clarification of these important issues, it is to be welcomed as a decision of the CJEU will bring clarity and avoid inconsistent applications across the EU and the EEA.
Ireland asks Europe's top court to rule on EU-U.S. data transfer