With its decision on Tuesday 3 October 2017 referring a preliminary question on the validity of the European Union’s “standard contractual clauses” (“SCC”) regime to the Court of Justice of the European Union (“CJEU”), the Irish High Court set the data protection cat amongst the transatlantic data export pigeons. And once again, Max Schrems and Facebook are at the center of the controversy.
In 2013 Max Schrems filed two complaints against Facebook Ireland Ltd with the Irish Data Protection Commissioner. One complaint called into question the Safe Harbor regime for data transfers between the European Union and the United States. The second complaint questioned the validity of the SCC regime for the transfer of data outside the European Union.
Max Schrems v. Irish Data Protection Commissioner -- Schrems I (The Safe Harbor)
The Irish Data Protection Commissioner (“DPC”) rejected Schrems’s complaint with respect to the Safe Harbor on the ground that in its Safe Harbor Decision of 26 July 2000 the European Commission considered that the U.S. ensured an adequate level of protection of the personal data.
Schrems attacked the DPC’s decision before the Irish High Court, which stayed proceedings and referred a preliminary question to the CJEU. One of the principle arguments made by Schrems was that the surveillance regime in the US, notably as revealed by Edward Snowden, renders any personal data exported to the US essentially unprotected. In its now famous opinion of 6 October 2015, the CJEU accepted the argument with respect to the US surveillance regime and ruled that (i) the Safe Harbor arrangement was invalid due to the lack of adequate legal protection of personal data transferred to the US and (ii) national data protection authorities like the DPC have the authority to investigate the adequacy of data transfers under any arrangements concluded pursuant to an adequacy decision by the European Commission.
Irish Data Protection Commissioner v. Facebook and Max Schrems -- Schrems II (the EU “Standard Contractual Clauses”)
Following the CJEU’s 2015 ruling, the Irish High Court quashed the DPC’s earlier decision not to investigate Facebook Ireland regarding the allegations in Schrems’s complaints and the DPC then commenced the investigation it had put off in the first place.
Concomitantly, Schrems revised his SCC complaint with the DPC, taking the position that Facebook’s use of the SCC does not provide the adequate legal protection necessary to otherwise permit data transfers to the US.
In the context of its newly initiated investigation, the DPC considered whether the US does provide adequate legal protection to EU users whose data is transferred. The DPC also looked into whether, in the event that the US did not afford adequate protection, Facebook’s use of the SCC could be said to increase the protection otherwise afforded to EU users and thereby render such transfers permissible?
The DPC concluded that US law fails to provide adequate legal remedies to EU citizens’ data and that the SCC regime could not remedy that shortcoming and hence Facebook’s SCC were, logically, invalid under EU law. However, it also concluded that it did not have the authority to declare the clauses invalid which would require a judicial decision.
As a result, the DPC filed suit against both Facebook Ireland Ltd. and Schrems.
In its 152 page long decision, the Irish High Court concluded that the substitution of the EU-US Privacy Shield for the invalidated Safe Harbor regime did not render Schrems’s challenge to the use of the SCC moot. The High Court further concluded that the DPC had raised some well-founded concerns on the absence of an effective remedy under US law that is compatible with the EU Charter of Fundamental Rights and that there is a risk that protected personal data transferred to the US would be accessed and processed by the US authorities in a manner contrary to the fundamental rights of EU citizens under the Charter. The High Court was of the view that the General Data Protection Regulation (commonly known as the GDPR) set to come into effect on May 25, 2018, will not have an effect on the question of the validity of the SCC regime. Finally, the High Court concluded that as there is a need for uniformity in the application of the Data Protection Directive, the CJEU is the proper body to decide the question hence the referred question.
For the moment - at least - the EU SCC regime, as well as the EU-US Privacy Shield, are intact and in effect, but in light of the High Court’s finding that “the laws – and indeed the practices – of the United States do not respect the essence of the right to an effective remedy before an independent tribunal as guaranteed by Article 47 of the Charter,” one must wonder for how long they will remain so.
The High Court has yet to formulate its question to the CJEU, but one can imagine that it will resemble the question referred to the CJEU in Schrems I:
“May and/or must the national data protection supervisory authority conduct his or her own investigation of the adequacy of data protection in a third country or is the Commissioner absolutely bound by the Commission’s decision?”
The High Court’s decision will no doubt engender high level political and diplomatic negotiations in order to find a way to continue the transatlantic transfer of data. One must wonder if the recent decision of the CJEU with respect to the EU-Canada Passenger Name Agreement might not act as a guidepost in those discussions.
In any event, EU data collectors, processors and exporters and their US counterparts should now give serious consideration to contingency plans about how they will deal with transatlantic data flows in the future (e.g., avoid transferring data, look at service providers with servers in the EU, rely on consent where possible). Regardless of the future decision of the CJEU on the question referred to it by the Irish High Court, at least one thing is clear: the future of such data transfers will not resemble the past.