On May 25, 2016, the Irish Data Protection Authority issued a press release stating its intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. At issue is the continued mass surveillance by the U.S. government, the same basis on which the Safe Harbor arrangement was struck down.
This is the latest development in the original 2013 legal challenge brought by petitioner Max Schrems, which resulted in Safe Harbor being struck down by the Court of Justice of the European Union in October 2016. Following the CJEU’s ruling on Safe Harbor, Model Clauses remained one legal basis available to organizations seeking EU-U.S. data transfer.
In a press release from May 25, Schrems stated, “I have received the draft decision by the Irish DPC yesterday night and we were informed that the DPC is intending to file the necessary proceedings with the Irish courts within the next days.”
After the CJEU invalidated the Safe Harbor scheme, many organizations, including Facebook, began using Model Clauses as the new basis of transfer for EU data. The EU Article 29 Working Party has stated that it is also assessing the legality of the Model Clauses but that organizations may continue to use them in the interim.
Binding corporate rules and obtaining consent from data subjects remain unchallenged mechanisms of data transfer to the United States. However, mass surveillance by the U.S. government remains the common core issue.
More than a year may be likely to pass before the CJEU issues a ruling on this matter. The Irish DPA referred the original case brought by Schrems to the CJEU on June 18, 2014, and the Court issued its decision October 6, 2015. Unless and until the CJEU issues a decision striking down the EC decisions establishing the Model Clauses (Decision 2001/497/EC, Decision 2004/915/EC and Decision 2010/87/EU), the Model Clauses remain valid. Until this time, organizations may continue to rely on them for data transfer.
The European Commission and United States also have been negotiating a new data transfer arrangement to replace Safe Harbor, the EU-US Privacy Shield. Negotiations currently remain ongoing.
In addition, U.S. President Obama signed the Judicial Redress Act into law in February, in effect giving select U.S. allies the same protections under the Privacy Act offered to U.S. citizens. The Act was seen as key to final approval of the Privacy Shield by European DPAs. It could also have an effect on the outcome of the CJEU’s decision regarding the validity of Model Clauses. With the Judicial Redress Act in place, it is possible that the Court could uphold EU Model Clauses despite striking down Safe Harbor.