On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems1concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union.
The Irish High Court referred this question to the Court of Justice of the European Union (CJEU). This is the second time that the CJEU has been asked to determine the validity of a data transfer mechanism. In 2015, the CJEU invalidated the EU-U.S. Safe Harbor Framework.2If the CJEU invalidates the SCCs, thousands of companies that rely on this data transfer mechanism could be left without a legal basis for the data transfers on which their businesses rely.
Background
EU data protection law prohibits the transfer of personal data outside of the EU, unless the data recipient is located in a country that is deemed to provide an adequate level of protection under EU law, or there is another legal basis to provide such adequate level of protection. Because the U.S. is not deemed to provide an adequate level of protection under EU law, companies seeking to transfer personal data to the U.S. must implement a data transfer mechanism, such as the SCCs or Binding Corporate Rules, or self-certify to the EU-U.S. Privacy Shield. Of these three, the SCCs are the most widely used. SCCs are model contracts issued by the European Commission, which require the data importer to protect EU personal data in accordance with the principles of EU data protection law.
The Judgment
Today's judgment is the latest chapter in the Schrems saga. After successfully petitioning the CJEU to invalidate Safe Harbor,3Austrian privacy activist Max Schrems returned to the Irish Data Protection Commissioner (DPC) with a request to suspend Facebook's EU-U.S. data flows, now based on SCCs. He argues that the SCCs—like Safe Harbor—cannot provide adequate protection of EU personal data in the U.S., because U.S. surveillance laws can override Facebook's contractual obligations under the SCCs. The DPC petitioned the Irish High Court to refer this question to the CJEU. Today, the Irish High Court referred the case to the CJEU, citing concerns that neither the SCCs, nor the Privacy Shield Ombudsman, instituted in the wake of the 2015 Safe Harbor invalidation, could provide adequate protection against wrongful interference by U.S. intelligence services.
Next Steps
The Irish High Court now will decide on the exact question(s) to be referred to the CJEU. The CJEU's decision is expected at the earliest in early 2019. The CJEU's judgment will have a significant impact on the data transfer strategies of thousands of companies worldwide. Like the Safe Harbor case, the CJEU's decision could also cast uncertainty on the other data transfer mechanisms, such as Binding Corporate Rules, and the EU-U.S. Privacy Shield framework.
Wilson Sonsini routinely counsels clients concerning risks related to the enforcement of privacy and cybersecurity laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Christopher Olsen, or another member of the firm's privacy and data protection practice.