Irish High Court: Validity of the Standard Contractual Clauses to be Decided by the ECJ

On 3 October 2017, the Irish High Court delivered a key judgment regarding the future of the EU Commission standard contractual clauses (SCC) and cross-border data transfers. Asked to rule on the validity of the SCC in the Schrems 2.0 case, the High Court found that the Irish Data Protection Commissioner had raised well-founded concerns about their validity and decided to refer the question to the European Court of Justice (ECJ).

Max Schrems, a Facebook user, complained to the Irish Data Protection Commissioner about the transfer of his personal data from Facebook Ireland to Facebook’s US headquarters. He argues that US electronic surveillance laws and spy programmes – notably, PRISM and Upstream – allow US intelligence agencies to access his personal data in the US in a manner that violates his EU fundamental rights to privacy and data protection. He also argues that, under US laws, EU data subjects do not have an effective remedy against these practices.

Facebook EU-US data transfers were initially covered under the Safe Harbor program, but Schrems’ complaint eventually led to the invalidation of the Safe Harbor, considered an inadequate safeguard, by the ECJ on 6 October 2015 (Schrems 1.0). Facebook data transfers are now covered by an agreement based on the SCC, which Schrems is now challenging (Schrems 2.0).

After analysing US surveillance laws, the Irish Data Protection Commissioner concluded that there were well-founded concerns that:

• US surveillance laws are indeed incompatible with EU privacy and data protection fundamental rights and do not offer EU data subjects an effective remedy against US intelligence agencies practices, and
• The SCC do not address these concerns (i.e. they are an inadequate safeguard) and are therefore invalid.

Because the Irish Data Protection Commissioner does not have the authority to invalidate the SCC itself, it referred the case to the High Court, asking it to, in turn, refer the case to the ECJ.

Proceedings and High Court decision

During the proceedings, each party had the opportunity to call its own US experts to present a testimony on US surveillance laws, especially Section 702 of the Foreign Intelligence Surveillance Act, the Executive Order 12333, and the Presidential Policy Directive 28.

The High Court analysed the scope of US intelligence surveillance powers under these laws, and under the PRISM and Upstream spy programmes in particular. It then moved on to assess whether the US statutory and administrative oversight mechanisms – including the Judicial Redress Act, FISC, PCLOB and the Privacy Ombudsperson – were sufficient to offer an effective remedy to EU data subjects.

The High Court eventually concurred with the concerns of the Data Protection Commissioner regarding the incompatibility of US surveillance practices with EU law and the absence of effective remedy. It also analysed the SCC and agreed that there were well-founded grounds for believing that they are invalid.

Given its findings, the High Court decided to refer the case to the ECJ under a preliminary ruling procedure. It has, however, not yet established the question(s) that will be referred to the ECJ. The High Court gave the parties time to make their submissions to help it frame them.

What’s next?

Once the High Court will have finalized the question(s), the case will be sent to the ECJ. But the outcome will not be known before some time. In 2016, the average duration of a preliminary ruling proceedings before the ECJ was 15 months. In the meantime, the SCC will continue to remain valid.

The outcome of this case may have crucial consequences on the future of data transfers outside of the EEA and to the US in particular. In its 2016 Annual Privacy Governance Report, the IAPP indicated that 89% of EU companies rely on the SCC to cover their data transfers to the US (and more than 80% rely on the SCC for their international transfers generally).

How OneTrust helps?

Keeping track of data transfer mechanism on a per process basis is very important at a time when both SCCs and Privacy Shield are under threat. OneTrust provides a platform where vendors and processes can be easily reviewed and analysed should there be a need to make quick changes if one of these transfer mechanisms is invalidated. If you worked for, or with, a company that went through the transition form Safe Harbor to Privacy Shield, you know the importance of being organised and aware of this information.