Following the upheaval caused by the invalidation of the Safe Harbour agreement by the Court of Justice of the European Union (CJEU) in the 2015 Schrems Case (Schrems I) (see our previous blog post here), the use of standard contractual clauses (SCCs) has become the favoured method of enabling personal data transfers between the EU and US (and has been to many other non-EU jurisdictions).

However, the decision by the Irish Data Protection Commissioner (DPC) on 3 October 2017, to refer to the CJEU Mr Schrems’ latest challenge to the intercontinental transfer of EU personal data, casts a cloud of doubt over the long-term future of SCCs.

In this latest challenge (Schrems II), Mr Schrems argues that the use of SCCs are, in part, as equally invalid as the Safe Harbour protocols for similar reasons. The current SCCs have an inbuilt emergency clause whereby data flows can be terminated by the relevant local data protection authority, (in this case the Irish DPC), whenever there is a conflicting law in a foreign country.

In his submissions, Mr Schrems mirrors the position in the 2015 case, stating that US surveillance laws and practices (brought to light by the Snowden leaks) are incompatible with EU law, and therefore any company party to such laws should have their data flows suspended.

Schrems submitted that a ‘targeted solution’ was available when dealing with this issue and that the DPC, using the powers granted under the SCC’s, could stop the specified data sharing of Facebook (the subject of the complaint) only.

In its decision to refer to the CJEU however, the Irish High Court concurred with the submissions of the DPC. It was ruled that taking a targeted approach to Facebook alone did not go far enough to tackle the crux of the issue. The Court expressed that there were deeper, systematic issues at the heart of the SCC framework as a whole, and because of the potential EU wide implications of these issues, it was only appropriate to refer the case up to the CJEU.

WAB Comment

With the case now in the hands of the CJEU and no definitive answer as of yet, the future of international data transfers under the SCC framework is now clouded by uncertainty.

As the argument is built upon the same groundwork of the previously successful Schrems I case, there is a real risk that the mechanism of the standard contractual clause could be held invalid and trigger a complete overhaul of the EU-US data flow framework.

The case also highlights the very real need for a EU-UK dataflow agreement to be reached in anticipation of Brexit (see our previous blog post here), due to the GDPR remaining silent on such issues.