Earlier this year, the Irish Data Protection Commissioner commenced proceedings in the High Court against Facebook Ireland Limited and Maxmillian Schrems. These proceedings have attracted unprecedented global interest. We provide an insight into the status of this litigation and its potential implications.
In May 2016, the Irish Data Protection Commissioner (“DPC”) started proceedings in the High Court, seeking a reference to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling on the validity of the EU Commission decisions which permit data transfers from the EU to third countries on foot of standard contractual clauses (“SCCs”).
This litigation, which stems from a complaint by Maxmillian Schrems (“Schrems”) to the DPC in respect of Facebook Ireland Limited (“Facebook”), is a follow-on from related litigation (Schrems v Data Protection Commissioner) which resulted in the 2014 CJEU ruling that the EU Commission decision underpinning Safe Harbor was invalid.
The underlying issues
Article 25(1) of the Directive 95/46/EC (the “Directive”) prohibits the transfer of personal data outside the EU unless the country to which the data is transferred "ensures an adequate level of protection" for the data protection rights of those individuals whose data is transferred.
However, the Directive provides an exception whereby a Member State may authorise transfers of personal data to a third country which does not ensure an adequate level of protection if "appropriate contractual clauses" are used. These “appropriate contract clauses” are the SCCs, which are heavily relied upon in international commerce to move data from Europe to other jurisdictions.
There are currently three sets of SCCs which have been approved by the Commission ("the SCC Decisions").
In October 2015, in its judgment in Schrems v DPC, the CJEU laid down the process which national data protection authorities – like the DPC – are expected to take when they have doubts about the validity of a tool that is used to transfer personal data out of Europe: "It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national court in order for them, if they share its doubt as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision's validity."
On review of Schrems’ reformulated complaint following the judgment in Schrems v DPC, the DPC formed the preliminary opinion that there are well-founded objections to the SCC Decisions and doubts as to their compatibility with Article 47 of the Charter of Fundamental Rights (the right to an effective remedy). She then commenced the present case against Facebook and Schrems seeking a reference to the CJEU for a preliminary ruling on the validity of the SCC Decisions. A finding that the SCC Decisions are invalid would likely have a profound impact on international business, which increasingly relies on the free flow of personal data across borders.
In an unprecedented development, eleven separate applicants including the USA, various industry bodies and human rights advocates sought leave from the Court to be joined as amici curiae (friends of the Court). Four parties, namely the USA, the Electronic Privacy Information Centre, Digital Europe and BSA Business Software Alliance were successful in their applications.
The widespread interest in this case arises, in part, from the potential economic and commercial consequences that could flow from a ruling that the SCC Decisions are invalid. In a 2013 trade impact assessment completed by the European Centre for International Political Economy for the US Chamber of Commerce, it was estimated that if services and cross-border data flows were to be disrupted, the negative impact on EU GDP could reach -0.8% to -1.3% and EU services exports to the US could drop by -6.7% due to loss of competitiveness.
A timetable has been set down by the Court for exchanges of pleadings, submissions and affidavits of evidence culminating in a three week trial commencing on 7 February 2017.
Interplay with the EU-US Privacy Shield
On 12 July 2016, the European Commission adopted the replacement for the EU-US Safe Harbor scheme which was invalidated in Schrems v DPC – the so-called ‘Privacy Shield’, which addresses the wider concerns raised by the Schrems judgment. The Shield imposes greater obligations on US companies who self-certify under the scheme and provides for stronger oversight and enforcement against participating companies by US authorities. In addition, EU concerns over US surveillance have been addressed through commitments given by US authorities and by reforms in US surveillance laws.
Privacy Shield is separate and distinct from the SCC Decisions, and, to date, its validity has not been challenged in the current litigation. However, it is possible that a judgment in the current case could have a knock-on effect on the Privacy Shield and lead to doubts about its validity.
An adverse ruling on SCCs will likely have major ramifications for the transfer of data between the EU and other jurisdictions.
Businesses that rely on international data transfers should follow this case closely. However, it is important to note that, unless and until the CJEU finds that the SCC Decision are invalid, SCCs remain a valid ground to transfer personal data from Europe. If a reference is made, a judgment from the CJEU is unlikely to come down before 2017.