The Irish High Court has made a preliminary reference to the Court of Justice of the European Union (“CJEU”), asking whether standard data protection clauses (“standard clauses”) are compatible with the legal rights of data subjects under EU law. Standard clauses are currently used as an appropriate safeguard to facilitate the transfer of personal data outside of the European Economic Area (the “EEA”). The reference to the CJEU comes despite previous decisions from the European Commission (the “Commission”) that have approved their use.
It is worth noting that the reference does not invalidate the use of standard clauses for the moment. However, a judgment from the CJEU that does so would have implications for billions of euros worth of trade between the EU and the rest of the world. If the CJEU decides to render the use of standard clauses invalid, this would leave extremely limited scope for compliant data transfers outside of the EEA.
On 3 October 2017, the Irish High Court made a preliminary reference to the CJEU on the issue of the validity of three Commission decisions that apply to transatlantic data transfers (the “Standard Clauses Decisions”).
The reference was prompted by a complaint from Max Schrems, a lawyer and privacy campaigner, who challenged the transfer of his personal data by Facebook in Ireland to Facebook Inc. in the US for processing. This transfer of data was governed by standard clauses, which are used to provide appropriate safeguards for the transfer of personal data to countries outside of the EEA. The use of certain standard clauses had been approved by the Commission in the Standard Clauses Decisions, in accordance with Article 26 of Directive 95/46/EC (the “Data Protection Directive”).
Schrems complained that non-US persons could be subject to electronic surveillance in the US by reason of their data being transferred to the US, yet they could not rely on certain US constitutional protections. He argued that the contractual safeguards in the standard clauses did not address these concerns about an absence of effective legal remedy in the US, and therefore that the standard clauses could not provide appropriate safeguards as required by EU law. To counter this, Facebook demonstrated the many structural legal safeguards that exist under US law such that it does provide an adequate level of protection. The safeguards referred to range from constitutional protections to case law developments and executive orders such as PPD-28. In addition, Facebook argued that this case was concerned with national security, which falls outside of the scope of EU law, and submitted that the Privacy Shield Decision – whereby the Commission affirmed the adequacy of the protection provided by the EU-US Privacy Shield framework (the “Privacy Shield”) – precluded the making of a reference to the CJEU.
The Irish High Court was of the view that “[if] there are inadequacies in the laws of the US within the meaning of [EU law], the standard clauses cannot and do not remedy or compensate for these inadequacies.” Hence the referral to the CJEU to confirm the validity of the Standard Clauses Decisions.
As Justice Costello for the Irish High Court states in her judgment:
“The case raises issues of very major, indeed fundamental, concern to millions of people within the EU and beyond. Firstly, it is relevant to the data protection rights of millions of residents of the EU. Secondly, it has implications for billions of euros worth of trade between the EU and the US and, potentially, the EU and other non-EU countries. It also has potentially extremely significant implications for the safety and security of residents within the EU.”
Standard clauses are regularly relied on as a mechanism for transferring personal data outside of the EEA – not just to the US, but also to many non-EU countries. If standard clauses are ultimately rendered invalid by the CJEU, what truly viable alternative mechanisms will be available to facilitate international data transfers in practice?
Where the data protection regime in the third country has not been subject to a Commission finding of adequacy, the current UK legal framework allows exporting controllers to “adduce adequacy” themselves in a way that is consistent with the Data Protection Directive. However, once the General Data Protection Regulation (“GDPR”) comes into force in May 2018, it will no longer be possible in the UK for organisations to adduce adequacy. In the absence of an adequacy finding by the Commission under Article 45 GDPR, data transfers can only be made where the controller or processor has provided appropriate safeguards pursuant to Article 46 GDPR or under a limited number of derogations for specific situations under Article 49 GDPR.
Without the option of using standard clauses, many of the appropriate safeguards listed at Article 46 GDPR may be unworkable for international transfers in their current state. Binding corporate rules take at least 18 months to gain formal approval and only apply to intra-group transfers; and the codes of conduct or certification mechanisms are unlikely to be approved by a supervisory authority until GDPR implementation becomes more settled. The derogations under Article 49 GDPR, such as where the transfer concerns only a limited number of data subjects, are very narrowly construed and hence will rarely apply in practice.
The Privacy Shield, which is directly concerned with data transfers to the US, is likely to be a key fall-back for companies if they are unable to rely on standard clauses. However, the CJEU referral is timely given that the Privacy Shield is currently being challenged before the General Court in the Digital Rights Ireland and La Quadrature du Net cases. Since the referral to the CJEU in this case, the Commission has issued the first annual joint review of the Privacy Shield, in which it confirms that the Privacy Shield provides an adequate level of protection for the transatlantic transfer of personal data. This provides some comfort to those wishing to rely on the Privacy Shield, but sits oddly with the CJEU referral and ongoing challenges before the General Court.
To add to this perfect storm, the referral to the CJEU is also met with uncertainty as to the UK’s position as a third country post-Brexit. It is not yet clear whether the UK will remain part of the EEA, become “whitelisted” as a third country, or whether alternative mechanisms will need to be in place specifically for EEA-UK transfers. Without standard clauses, the task of achieving compliance would become increasingly difficult for organisations if this is not resolved by the time that the UK exits the EU.
The CJEU ruling could take as long as two years to deliver. If the CJEU decides to render the use of standard clauses invalid, this would strike at the core of whether one of the most established compliance methods for international data transfers can ever be considered legal in Europe. Organisations will have limited compliance options (or perhaps none at all) in terms of how to transfer data outside of the EEA. This is a frustrating state of play for organisations, especially those that wish to maintain compliance but may soon be lacking a workable solution.
The full judgment of the Irish High Court can be accessed here.
The CMS data protection team provides expert advice on all information security and privacy matters. We regularly provide advice and training to clients on data protection compliance.