WSGR ALERT

European Court of Justice to Rule on Validity of Standard Contractual Clauses

October 3, 2017

On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems1 concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union.

The Irish High Court referred this question to the Court of Justice of the European Union (CJEU). This is the second time that the CJEU has been asked to determine the validity of a data transfer mechanism. In 2015, the CJEU invalidated the EU-U.S. Safe Harbor Framework.2 If the CJEU invalidates the SCCs, thousands of companies that rely on this data transfer mechanism could be left without a legal basis for the data transfers on which their businesses rely.

Background

EU data protection law prohibits the transfer of personal data outside of the EU, unless the data recipient is located in a country that is deemed to provide an adequate level of protection under EU law, or there is another legal basis to provide such adequate level of protection. Because the U.S. is not deemed to provide an adequate level of protection under EU law, companies seeking to transfer personal data to the U.S. must implement a data transfer mechanism, such as the SCCs or Binding Corporate Rules, or self-certify to the EU-U.S. Privacy Shield. Of these three, the SCCs are the most widely used. SCCs are model contracts issued by the European Commission, which require the data importer to protect EU personal data in accordance with the principles of EU data protection law.

The Judgment

Today's judgment is the latest chapter in the Schrems saga. After successfully petitioning the CJEU to invalidate Safe Harbor,3 Austrian privacy activist Max Schrems returned to the Irish Data Protection Commissioner (DPC) with a request to suspend Facebook's EU-U.S. data flows, now based on SCCs. He argues that the SCCs—like Safe Harbor—cannot provide adequate protection of EU personal data in the U.S., because U.S. surveillance laws can override Facebook's contractual obligations under the SCCs. The DPC petitioned the Irish High Court to refer this question to the CJEU. Today, the Irish High Court referred the case to the CJEU, citing concerns that neither the SCCs, nor the Privacy Shield Ombudsman, instituted in the wake of the 2015 Safe Harbor invalidation, could provide adequate protection against wrongful interference by U.S. intelligence services.

Next Steps

The Irish High Court now will decide on the exact question(s) to be referred to the CJEU. The CJEU's decision is expected at the earliest in early 2019. The CJEU's judgment will have a significant impact on the data transfer strategies of thousands of companies worldwide. Like the Safe Harbor case, the CJEU's decision could also cast uncertainty on the other data transfer mechanisms, such as Binding Corporate Rules, and the EU-U.S. Privacy Shield framework.

WSGR will continue to monitor the news and update you on any significant developments.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Christopher Olsen, or another member of the firm's privacy and data protection practice.


1 See the Irish High Court judgment, delivered on October 3, 2017, as published by the Irish DPC, available at https://dataprotection.ie/documents/judgements/DPCvFBSchrems.pdf.
2 See our WSGR Alerts: "EU's Highest Court declares Safe Harbor Invalid" (October 6, 2015), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-safe-harbor-invalid.htm and "EU Data Protection Authorities Issue Statement Following Schrems Decision" (October 16, 2015), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-schrems-statement.htm.
3 See the CJEU Judgment, delivered on October 6, 2015, in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (request for a preliminary ruling from the High Court (Ireland)), available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=1&part=1&mode=req&docid=169195&occ=first&dir=&cid=111628.