On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.
The CJEU will now have to decide the validity of SCCs as a basis for data transfer from the EU to the U.S. and elsewhere. A ruling by the CJEU could take as long as two years to deliver. Amongst the possible outcomes are that the Court could ultimately find the SCCs valid as-is; it could find them invalid as-is but recommend ways to fix them; it could find that EU data protection authorities must assess the adequacy of the SCCs on a case-by-case basis; or it could find that private contractual clauses – and potentially other data transfer mechanisms as well – do not provide adequate data protection in the context of transfers to certain jurisdictions (like the U.S.) and that the only remedy to this is a political solution (e.g., an agreement by the foreign government to grant EU data subjects certain rights). This last potential outcome could also impact the continued validity of the Privacy Shield framework for transfers of personal data from the EU to the U.S.
These developments in this case come just after the European Commission and U.S. Department of Commerce completed their first annual review of the Privacy Shield framework (press release here). While the formal report of this review is not expected until the second half of October, statements from Commission officials and European data protection authorities at the 39th International Conference of Data Protection and Privacy Commissioners have suggested that the report will be favorable. For organizations transferring data from the EU to the U.S., relief as to the outcomes of the first annual Privacy Shield review may well be overshadowed by longer term concerns as to how the CJEU might approach this important case.