The Irish Supreme Court has recently ruled that it is not within their power to reject a High Court decision to make a reference to the European Court of Justice (ECJ) regarding the validity of the Standard Contractual Clauses adopted by Facebook. This means the case will proceed for consideration by the ECJ.
The proceedings which led to the High Court referral were brought by the Irish Data Protection Commissioner following complaints by Max Schrems, the Austrian privacy campaigner who brought about the collapse of the EU – US Safe Harbor scheme back in 2015, that the transfer of his data by Facebook to the US breached his EU data privacy rights.
What are Standard Contractual clauses?
The General Data Protection Regulation restricts transfers of personal data outside the European Economic Area (EEA) unless the rights of the individual data subject are protected. One of the ways accepted by the European Commission and the ICO is entering into a standard contractual clause contract with the party outside the EEA.
Standard contractual clauses are a contractual template setting out obligations in respect of data sharing approved by the European Commission as providing adequate safeguards to allow an organisation to transfer personal data outside the EEA. Max Schrems is challenging that simply entering into one of these contracts which take a standard prescribed form does not guarantee adequate protections for data subjects.
Why could this judgement be significant?
Many organisations, such as Facebook, rely on standard contractual clauses to transfer people’s personal data outside of the EEA.
If the European Court of Justice was to find that these contracts were invalid, thus preventing companies from easily transferring data outside of the EEA, companies would have to seek an alternative mechanism for their overseas data transfers or build data centres to store their servers within the EEA. This would be a very costly process for any company to undertake; hence many organisations are hoping that standard contractual clauses remain in place.
I still remember the ripples the Schrems decision on Safe Harbor sent through the technology sector in 2015 and remember talking about the issue and the challenges for the sector with the Rt Honourable Theresa May during her time as Home Secretary at an event in her local constituency. When Safe Harbor was declared “unsafe” by the European Court of Justice in 2015 those relying on it as an approved method of transferring personal data to the US endorsed by the European Commission were suddenly left without a method for lawfully transferring personal data to the US. Many organisations fell back on Standard Contractual Clauses until the new Privacy Shield scheme was put in place – now both are being challenged the future for international data transfers is uncertain.
What about Brexit?
Once (or if!) we leave the EU the UK will be a third country for the purposes of EU data protection legislation which means EU companies will not be able to send UK companies personal data without ensuring adequate safeguards are in place (as the transfer will be to a country outside the EEA).
The ICO have indicated that an adequacy decision from the EU Commission (which would essentially say the UK is a safe country to transfer personal data to) cannot be negotiated until we actually leave so it is very unlikely such a decision will be in place on exit date. Standard Contractual Clauses are currently approved by the European Commission as providing sufficient safeguards for transferring personal data outside of the EEA – so if they are declared invalid UK companies will need to explore other options.
What Happens Next?
The European Court of Justice is expected to hear the case on the 9th July 2019 in Luxembourg, with a full judgement expected after the summer. The hearing on standard contractual clauses has just been delayed by the ECJ as it has decided to also hear Schrem’s challenge to the Privacy Shield (the replacement for Safe Harbor) at the same time. At the heart of these challenges is the concern that US law permits mass surveillance by the US government so an equivalent level of protection for personal data transferred to the US cannot be guaranteed.
The outcome of the decision will be eagerly awaited with trepidation by organisations that transfer data outside the EEA, particularly those in the technology and IT sector but has wider implications as most businesses now rely in some way on IT providers or use software which is hosted overseas.
We will keep you updated as the case progresses but now is definitely a good time to be reviewing your overseas data transfers and checking what protections you have in place so are ready to act quickly if the situation changes.