What's at Stake in the Latest Landmark EU International Data Privacy Case?

The long-running legal challenge on the validity of transfers of personal data from the European Union reached another milestone last week. On October 3, the Irish High Court referred questions on the validity of EU Standard Contractual Clauses (SCCs) (which are also known as EU Model Clauses) to the Court of Justice of the European Union (CJEU). While the ruling of the CJEU will take some time, the case has potentially enormous ramifications for businesses in the EU and U.S. for whom the international transfer of data is essential.

International Data Transfers Under EU law

Under EU data privacy law, transfers of personal data outside of the European Economic Area (EEA) are prohibited unless the destination territory provides an “adequate” level of data protection. While certain countries have been designated as being adequate; the U.S. has not. The principal mechanisms for such transfers are:

1. Data transfer agreements incorporating the relevant set of SCCs, which have been authorized by the European Commission as a valid transfer mechanism.
2. Binding Corporate Rules (individually approved by the appropriate supervisory authority) for global businesses in respect of intra-group transfers.
3. Certification under the EU-U.S. Privacy Shield, summarized in our previous alert.

Background to the Second Schrems Challenge

In October 2015, the Court of Justice of the European Union invalidated the EU-U.S. Safe Harbor scheme, as summarized in our previous alert, following a complaint brought by an Austrian privacy activist, Max Schrems. This led to Safe Harbor being replaced by the Privacy Shield.

Mr Schrems is now seeking to challenge the validity of SCCs in a case concerning the transfer of personal data from Facebook Ireland to Facebook Inc. in the U.S. In response to this challenge, the Irish Data Protection Commissioner sought a ruling from the CJEU (via the Irish High Court) on the validity of SCCs. Four parties were joined as amici curiae to the proceedings, including the U.S. government.

The second Schrems challenge was based on similar principles to the successful challenge to the Safe Harbor scheme: that U.S. law and practice does not ensure adequate protection against surveillance activities by public authorities.

An Overview of the Ruling

In a very detailed judgment, the Irish High Court found that there were well-founded concerns about the validity of the decisions by the European Commission, which authorised the use of SCCs. The Irish High Court, therefore, decided to refer the matter to the CJEU for a preliminary hearing.

In its judgment, the Irish Court placed significant weight on the absence of an effective remedy before an independent tribunal and the lack of a mechanism for data subjects to challenge wrongful interceptions by public authorities of their personal data, in respect of data transfers to the U.S. Such a remedy is required by the EU Charter of Fundamental Rights, which guarantees fundamental rights (including privacy) of EU citizens.

The Court disagreed with Facebookˈs submission that the issue was one of national security and, thus, fell outside the scope of EU law. SCCs are agreements between private entities involved, more often than not, in commercial activities. Accordingly, SCCs fall under EU law and the CJEUˈs jurisdiction. SCCs are unable to bind the sovereign authority of the U.S. government and its agencies. Consequently, data protection authorities (including the Irish Data Protection Commissioner) must ensure that personal data receives a high level of protection when transferred internationally, even where such data is transferred pursuant to SCCs. SCCs cannot remedy general or fundamental inadequacies (as judged against the requirements of EU privacy laws) in a third country. The Irish Court will now allow submissions from the parties as to the nature and scope of the questions to be referred.

Practical Implications

The present decision does not affect the current legality of international data transfers pursuant to SCCs. However, given that the CJEU has the authority to invalidate SCCs (in the same way it invalidated Safe Harbor), its future judgment on this issue will have enormous implications for international businesses. As recognised in the judgment of the Irish Court, invalidation of SCCs would fundamentally affect billions of euros worth of trade between the U.S. and the EU. Whilst no action is required in the immediate term, businesses should monitor developments in this case closely.

Following the invalidation of the Safe Harbor scheme, many companies implemented SCCs as a stop-gap measure. Some continue to rely on SCCs as they weigh the potential benefits of certification under the Privacy Shield scheme. To some extent this is a somewhat tedious, but necessary, paper compliance exercise. However, as part of this process, companies need to look at the categories of personal data which they are exporting outside of the EEA, the purposes of the transfers, and the recipients of the personal data. In cases in which the personal data is transferred to a data processor outside the EEA, the SCCs also need to include a description of the technical and organizational measures implemented to ensure the security of the personal data. This is a valuable exercise in itself for any organization that processes a significant amount of personal data.

Companies frequently underestimate the volume and sensitivity of this data, which includes personal data on customers and a company’s own employees. Understanding the nature of the personal data and where and why it is processed is a fundamental part of good data management, and it is vital in avoiding a potential data breach. There is less than one year left before the EU’s General Data Protection Regulation comes into force – bringing with it a substantial compliance burden. While this does not significantly change the mechanics of international data transfers, the potential costs of non-compliance are significantly higher in the form of fines of up to four percent of global revenue and temporary or permanent bans on processing of personal data or on transfers outside of the EEA.