Will the EU Standard Contractual Clauses survive the new battle between Facebook and Maximilian Schrems? On October 3, 2017, the Irish High Court issued a decision requesting the CJEU to evaluate the validity of the EU Standard Contractual Clauses (SCCs). These clauses are used to export personal data collected in the European Economic Area (EEA) to a third country.
By this decision, the High Court acknowledges that there are “well-founded grounds for believing that [the EU Standard Contractual Clauses] are invalid,” and that it is therefore necessary to refer them to the CJEU to ensure uniform data protection in the EU (see paragraph 338 of the judgment).
Note: Check out my law review article on U.S. Data Privacy Laws and whether they start to converge with the EU model
The EU Standard Contractual Clauses are used to transfer data between a data exporter in the EEA and a non-EEA data importer. By these clauses, the importer undertakes to comply with European data protection standards. They are approved by the European Commission (Decision 2010/87 / EU of 5 February 2010). Since the Safe Harbor ceased to exist, Facebook and other companies switched to EU Standard Contractual Clauses to transfer data.
In a Nutshell
Facebook Ireland Ltd transfers Max Schrems’ data to the United States. Schrems complains of having no effective remedy if a government agency has access to his data for surveillance reasons. Facebook argues that the transfers were pursuant to the EU Standard Contractual Clauses.
The Irish Data Protection Commissioner (DPC) – the Irish Data Protection Authority – acknowledges the lack of effective remedy. The Irish High Court of Justice agrees, and asks the ECJ a preliminary ruling to ensure a harmonious response in Europe. The ECJ must now assess the validity of the clauses.
Maximillian Schrems argues before the DPC that Facebook transfers his data to the United States for processing. However, for such a transfer to a third country, the United States in this case, this country must have protection of personal data at a level equivalent to that existing in the EEA.
The European Commission did not recognise the United States as having an adequate level of data protection. Therefore, businesses need to rely on other mechanisms to make these transfers of personal data, such as the EU Standard Contractual Clauses.
Schrems claims that Facebook doesn’t respect his rights to the protection of personal data. According to him, the SCCs do not give the necessary data protection. In particular, because of the US surveillance laws. He demands respect for its rights to privacy and the protection of his personal data (Articles 7 and 8 of the Charter of Fundamental Rights of the European Union). And also his right to an effective remedy before a court (Article 47 of the Charter).
Facebook claims that the data transfers comply with the Contractual Clauses Types, which have been validated by the European Commission (Decision 2010/87/EU of 5 February 2010).
The DPC considers that Schrems makes relevant arguments. It seems indeed difficult for a European to benefit from an effective remedy in the US, if there is a transfer of personal data there. In particular, in case of access to this data by a government agency for reasons of national security.
The EU Standard Contractual Clauses do not take this problem into account. Indeed, they do not give any right to any remedy if this access occurs.
Therefore, the DPC went to the Irish High Court of Justice. The High Court rejected Facebook’s argument, and referred for a preliminary ruling to the CJEU. At the time of writing, the wording of the question still needs to be formulated. It is now up to the Court of Justice of the European Union to assess the validity of the clauses.
To read the decision, click here.
For the EU Standard Contractual Clauses & Privacy Shield
The mechanisms to transfer data between the EU and the US – Privacy Shield, EU Standard Contractual Clauses and Binding Corporate Rules – receive several critics since their enactment.
The recent first yearly review of the Privacy Shield by the EU Commission stressed the need for reform of U.S. foreign surveillance law. For instance the Foreign Surveillance Intelligence Act (FISA) allows government agencies to access data, harming data protection. As discussed above, European data subjects have no right to an effective remedy if this happens.
These problem exist for all the means to import EU data into the US, be it Privacy Shield, SCCs or Binding Corporate Rules. If the CJEU states that the SCCs are invalid, it will have a ripple effect on other data transfer mechanisms. Moreover, I remind you that numerous plaintiffs in Europe are seeking the annulment of the Privacy Shield.
A brutal invalidation of SCCs would have serious consequences for American and European companies. Access to the European market on one side, and access to US companies’ services on the other side are vital. Thinking ahead of a solution to that potential situation is critical.
However, only US electronic communication service providers are concerned. These are the only companies subject to US surveillance laws (not just to US data protection laws). This includes cloud service providers. The problem would be bigger if the invalidation of SCCs by the CJEU have ripple effects on other data transfer mechanisms.
The decision of the CJEU will have to be studied carefully. Meanwhile, the legal uncertainty should encourage data protection best practices, and to keep an eye on further developments.