A PRIMER ON DATA TRANSFER UNDER EU LAW

  • Under the Directive, data transfers to third countries outside the EEA are generally prohibited unless the European Commission (the "Commission") considers the level of data protection in that country to be "adequate" for the purposes of Article 25 of the Directive (known as an "adequacy decision"), or where certain specifi ed measures are taken pursuant to Article 26 of the Directive.

WHAT ARE STANDARD CONTRACTUAL CLAUSES?

  • One such measure is the use of standard contractual (or "SCCs") which have been approved by the Commission and which are included in contracts between the transferring party (based within the EEA and known as the data exporter) and the receiving party (based in the third country and known as the data importer).
  • SCCs therefore impose contractual obligations on the parties to ensure an adequate level of data protection even where the third country to which the data is transferred is not itself deemed adequate.
  • SCCs do not impose any obligations on public authorities in the third country to which the data is transferred
  • SCCs are widely used as a mechanism to transfer personal data from the EEA to third countries such as the US, which do not have an adequacy decision.

On 3 October 2017, the Irish High Court handed down judgment in Data Protection Commissioner v Facebook and Maximillian Schrems, a case known as "Schrems II" concerning the validity of standard contractual clauses ("SCCs") as a mechanism to facilitate the transfer of personal data to third countries located outside the EU. The High Court will now refer certain questions on the validity of SCCs to the Court of Justice of the European Union ("CJEU") for determination. This briefi ng considers the case and its implications for international data transfers.

BACKGROUND – SCHREMS I

The High Court's ruling is the latest instalment in a long-running dispute involving Austrian citizen, Maximillian Schrems, Facebook and the Irish Data Protection Commissioner ("DPC"). Mr. Schrems previously complained to the DPC claiming that his personal data had been unlawfully transferred from Facebook's Irish subsidiary to its US-based parent, Facebook, Inc. in reliance on the EU-US Safe Harbour framework. The DPC initially rejected Mr. Schrems' complaint but on a judicial review, the High Court referred the matter to the CJEU. In an important 2015 decision, the CJEU struck down the Safe Harbour framework on grounds that the Safe Harbour framework failed to provide the personal data of EU citizens with an effective level of data protection "essentially equivalent" to that guaranteed within the EU under the Data Protection Directive 1995 (the "Directive"),1 read in light of the Charter of Fundamental Rights of the European Union (the "Charter").

Among the key reasons underlying the CJEU ruling in Schrems I was that in the event of conflict of obligations, US national security interests took primacy over the data protection principles contained in the Safe Harbour framework and the fact that US public authorities, particularly US security agencies, were not bound by the Safe Harbour principles. In the aftermath of the Schrems I ruling, Mr. Schrems reformulated his complaint to the DPC claiming that Facebook's reliance on SCCs as a mechanism to transfer his personal data to US was also invalid.

SCHREMS II

In response to Mr. Schrems' reformulated complaint, the DPC conducted an investigation before applying to the High Court seeking a preliminary reference to the CJEU for that court to consider whether the SCCs were compatible with EU law. The unique posture of the case – with the DPC as plaintiff and Mr. Schrems and Facebook both enjoined as defendants, as well as multiple so-called "friends of court also making submissions" – is a consequence of the CJEU ruling in Schrems I. In that case, the CJEU established that it was within the powers of each local supervisory authority, and specifically the DPC, to investigate and examine any Commission adequacy decision (the Safe Harbour framework in Schrems I and the SCCs in Schrems II), but that only the CJEU itself has the jurisdiction to strike down such Commission decisions. Accordingly, the DPC could examine and raise its concerns regarding the SCCs but the CJEU alone could rule on their validity.

THE DPC'S "WELL-FOUNDED CONCERNS"

The DPC, in particular raised its "well-founded concerns" that, in the context of the use of SCCs for data transfers to the US, there is an absence of an effective judicial remedy under US law – as required by Article 47 of the Charter – for EU citizens to seek redress where US security agencies have unlawfully processed their personal data. The High Court heard expert evidence detailing the US security and surveillance legal framework and practices and found "there is mass indiscriminate processing of data by the United States government agencies", if not necessarily mass surveillance. Based on this finding, together with the restrictive restrictive rules on the right of access to US courts to take a case and seek a remedy (known as "standing rules") for breach of EU data protection rights, the High Court found that there were "significant barriers" which made it "exceedingly difficult" for EU citizens to seek redress through the US courts. In light of these difficulties to seek redress once personal data has been transferred to the US using the SCCs, the High Court echoed the DPC's "well-founded concerns" and took the decision to refer certain questions to the CJEU for that Court to determine on an EU-wide basis whether SCCs are compatible with the Directive and the Charter. The High Court will hear further submissions before deciding on the specific questions to be referred to the CJEU.

WHAT DOES THIS MEAN FOR SCCS?

Although the High Court reference to the CJEU means that the use of SCCs could be declared invalid as a mechanism for data transfers to the US (and potentially other third countries also), SCCs will remain a valid mechanism to transfer personal data to third countries pending any determination by the CJEU. Based on previous practice it is unlikely that any CJEU ruling would be issued for at least 12-15 months from the date of the referral from the High Court. As noted, the Court will hear further submissions before making such a reference. In the interim, SCCs therefore remain an appropriate method for data transfers to third countries, including the US.

WILL THE GDPR CHANGE ANYTHING?

With the General Data Protection Regulation (Regulation 16/679/EC) ("GDPR") taking effect in May 2018, the current form of the SCCs (which are based on a series of Commission decisions taken under Article 26 of the Directive) are due to be revised for GDPR purposes. In practice this will likely mean that a new set of GDPR SCCs will replace the current versions prior to May 2018. If this is to be the case, any CJEU decision in response to the High Court referral may not directly affect the SCCs if a new version is put in place before the CJEU makes a decision in Schrems II. However, there remains a risk that the general principles of underlying the use of SCCs could be open to challenge based on the CJEU's ruling in Schrems II if the third country does not provide adequate remedies for EU citizens to seek redress for breach of their data protection rights.

CONCLUSION

While the High Court ruling casts doubt on future use of SCCs as a mechanism to transfer personal data to third countries, it is unlikely that any such CJEU ruling will take place for at least 12-15 months. We will continue to monitor these developments closely, but in the interim SCCs remain a valid mechanism for the transfer of personal data to third countries pending any CJEU ruling in Schrems II.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.