Mark Rasdale & the A&L Goodbody Technology & Commercial Group summarise the key points from the recent judgment by the Irish High Court that refers to the CJEU questions about the validity of SCCs and data transfers.
In a much anticipated judgment, handed down on 3rd October, the Irish High Court decided to ask the Court of Justice of the European Union (CJEU) to rule on the validity of Standard Contractual Clauses (SCCs).
What is at stake?
SCCs, also known as “Model Contracts”, are contractual terms approved by the European Commission for validating transfers of personal data to countries outside the EEA region. SCCs are perhaps the most widely used legal instrument supporting EU-US data transfers. For many businesses, they are the only available means of lawfully transferring data to the US or other third countries.
If the SCCs are held to be invalid by the CJEU, many businesses operating from Europe will find themselves unable to lawfully transfer personal data to the US. This will in turn pose severe logistical and economic challenges to EU-US trade.
The legal challenge to the SCCs touches on the politically sensitive areas of data privacy and state surveillance. Therefore, a ruling that invalidates the SCCs will also present a fresh challenge for the EU and US authorities to negotiate a long-lasting solution to transatlantic data transfers.
Pending the CJEU’s ruling, businesses can continue to rely on the SCCs.
How did the case come about?
Back in 2013, Mr Schrems complained to the Irish Data Protection Commissioner (DPC) about the transfer of his personal data by Facebook in Ireland to its parent company in the US under the EU-US Safe Harbour mechanism.
That complaint resulted in the invalidation of the EU-US Safe Harbour mechanism by the CJEU (Schrems I). Following the CJEU decision, Facebook placed reliance on the SCCs for making legal transfers of data between Ireland and the US, and Mr Schrems decided to reformulate his complaint against Facebook.
In the course of carrying out the new investigation, the DPC determined that she had “well-founded” objections in relation to the validity of the SCCs. In particular, she was concerned that there was an absence of effective legal remedies for EU citizens whose data are transferred to the US, and she believed that the SCCs do not answer these concerns. Only the CJEU can decide on the validity of European Commission decisions such as the SCCs. Therefore, the DPC applied to the Irish High Court so that questions regarding the validity of the SCCs could be brought before the CJEU.
What did the Irish High Court say?
Ms Justice Costello delivered a wide-ranging 152-page judgment. Of particular note are the following:
Article 47/52 of the Charter
Privacy Shield Ombudsperson
The Court has not yet framed the questions to be sent to the CJEU. The parties to the proceedings will be afforded an opportunity to make written submissions on the form of such questions to be referred to the CJEU, and the Court will then determine the exact questions to refer.
Once the reference is made, it will be for the CJEU to fix a hearing date. It usually takes an average of 1.5 years before the CJEU rules on a reference, although the CJEU may decide to prioritise the hearing of this case given its importance.
The full judgment can be found on the Irish High Court website.