Ireland’s Data Protection Commissioner (DPC) is seeking declaratory relief in the Irish High Court and a referral to the European Court of Justice (CJEU) of a complaint brought against Facebook which challenges the legitimacy of the EU-approved “Standard Contractual Clauses”. In October 2015, the CJEU invalidated the EU Commission’s decision approving the Safe Harbor agreement with the United States, which at the time was being used by thousands of US companies as the legal basis for transferring EU personal data from the EU to the US. Two major concerns with the Safe Harbor arrangements were identified by the CJEU: the broad powers of US law enforcement and security agencies to access EU personal data once exported to the US, and the lack of any procedures allowing EU citizens a right of redress in such circumstances.
Following the CJEU’s decision on Safe Harbor, many US companies that had been Safe Harbor-certified put in place the EU Standard Contractual Clauses, which contain specific undertakings consistent with the EU data protection rules to which both the exporters and importers of EU personal data agree to adhere. Those challenging the use of the Standard Contractual Clauses, using Facebook as a test case, have argued that the same concerns that led the CJEU to invalidate the EU Commission’s decision approving the Safe Harbor arrangements apply to the Standard Contractual Clauses as well.
It is unclear whether the challenge to the Standard Contractual Clauses relates solely to transfers of EU personal data to the US or to any country outside the EU that is not the subject of an “adequacy finding”. With regard to US transfers, it remains to be seen whether relevant legislative developments in the US that have taken place since the record of the case challenging the Safe Harbor arrangements was closed will affect the outcome of this latest challenge to the Standard Contractual Clauses. It is also an open question whether this latest challenge will impact the EU Commission’s “adequacy decision” on the so-called Privacy Shield arrangements between the US and the EU, which are pending approval and are intended to resolve the CJEU’s concerns regarding Safe Harbor. Concerns about the adequacy of the proposed Privacy Shield arrangements have been raised by national data protection authorities, the European Data Protection Supervisor and members of the European Parliament.
In the meantime, the use of the Standard Model Clauses remains a viable, if potentially short-lived, option for companies that are involved in the transfer or EU personal data to the US We will continue to provide updates on the status of EU-US data transfers as further developments unfold.