The Irish High Court is considering the questions to be referred to the Court of Justice of the European Union (“CJEU”), following the landmark decision on 3 October 2017 that questions regarding the validity of standard contractual clauses (“SCCs”) should be referred (further details of which can be found here). Ms Justice Costello finished hearing the parties and amici on the precise content of the questions to be referred on 18 January 2018. Since the parties were unable to agree on their scope, never mind specific wording, it is likely to be a number of weeks before Ms Justice Costello finalises the questions. The final wording will be crucial to assessing the potential implications of these proceedings for existing mechanisms for transferring personal data outside the EU, including the SCCs, Privacy Shield and Binding Corporate Rules.
The main points of contention between the parties were as follows:
- Adequacy Assessment: The background to the case relates to whether the rights of EU data subjects are adequately safeguarded when their personal data are transferred to the United States under the SCCs. In that regard, the CJEU will be asked about the appropriate manner of assessing the concept of “adequacy”. The parties were in disagreement as to whether this question should refer to “adequate safeguards” under Article 26 of the Data Protection Directive as a standalone concept or whether, as advocated by the Data Protection Commissioner, the broader concept of “adequacy” of non-EEA country laws in Article 25 should be considered.
- Validity of SCCs: The parties are not agreed on whether the questions relating to the validity of the SCCs should refer to their validity generally when used for transfers to any third country, or in respect of their validity for transfers to the United States only.
- National Security: All of the parties were agreed that the CJEU should be asked to clarify the precise scope of the national security exemption contained in the Data Protection Directive, particularly in the context of online surveillance.
- Privacy Shield: There was disagreement between the parties over whether the Privacy Shield decision, which permits data transfers to the United States in some circumstances, was relevant to the questions to be referred to the CJEU.
The practical difficulties of handling a case of this nature involving three parties and four amiciwere clear over the course of a four day hearing in which five sets of proposed questions were put before the Court, and arguments were made about how United States law should be characterised in the order for reference to the CJEU.
These practical difficulties highlight the limitations of existing court procedures to deal with a case of this kind. The Data Protection Commissioner’s desire to refer questions to the CJEU has been, through necessity, shoehorned into traditional adversarial proceedings that are not an ideal fit. This is partly because Irish legislation currently does not provide for any clear mechanism for the Data Protection Commissioner to bring these proceedings in the manner contemplated by the CJEU in paragraph 65 of its Schrems I decision. It is notable that the Irish Data Protection Bill (which has yet to be published) is expected to contain provisions designed to address this lacuna.