In a potentially landmark case, the CJEU will consider the sufficiency of Standard Contractual Clauses for data transfers from the EU to the US
In 2013, public revelations about the US National Security Agency’s surveillance practices raised concerns for many EU citizens, including Max Schrems, over US government access to personal data being held by US organizations. Schrems initiated a lawsuit in Ireland taking the position that US laws and the Safe Harbor program then in place did not adequately protect his personal data held by Facebook from unacceptable “mass transfers” to the US government for the purposes of that surveillance. The case eventually resulted in the Court of Justice of the European Union (“CJEU”) issuing a ruling invalidating the Safe Harbor program in October 2015.
Subsequently, representatives of the EU member states’ data protection authorities issued guidance on adapting to the loss of Safe Harbor protections, including pointing organizations towards the use of Model Contracts employing Standard Contractual Clauses (“SCCs”) approved by the European Commission. SCCs had been in use, in one form or another, since 2002, and they became used by many more organizations during the interim period between the Safe Harbor program’s invalidation and the implementation of the new Privacy Shield program.
Since then, Schrems has also challenged the sufficiency of SCCs, arguing that they too provide inadequate protections for the personal data of EU citizens transferred to the US. In October 2017, the Irish Court hearing the case issued an order concluding “that there is mass indiscriminate processing of data by the Unites States government agencies” and describing the concerns and objections raised about data transfers to the US under SCCs as “well-founded.” The Court then announced referral of the matter to the CJEU for the resolution of several legal questions.
Last week, the Irish Court published its referral with the specific legal questions to be posed to the CJEU. The eleven questions posed explore several aspects of the sufficiency of SCCs, the correct law to use to assess the protections, the relationship between the Privacy Shield (that replaced Safe Harbor) and the SCCs, and what qualifies as an adequate remedy under applicable law. Question 4 asks directly: “Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?” (Article 7 of the EU Charter of Fundamental Rights covers respect for private and family life, and Article 8 covers protection of personal data.)
If the CJEU answers this question (or other questions posed) in the affirmative, SCCs too may be deemed inadequate for EU-US data transfers, and many organizations may have to shift course yet again. Moreover, such a ruling could also further complicate data transfers under the new General Data Protection Regulation (“GDPR”), which goes into effect next month and was already going to require amendments to existing SCCs.