Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Standard Contractual Clauses At Risk After Schrems II Decision
Following the upheaval caused by the invalidation of the Safe Harbour agreement by the Court of Justice of the European Union (CJEU) in the 2015 Schrems Case (Schrems I) (see our previous blog post here), the use of standard contractual clauses (SCCs) has become the favoured method of enabling personal data transfers between the EU and US (and has been to many other non-EU jurisdictions).
However, the decision by the Irish Data Protection Commissioner (DPC) on 3 October 2017, to refer to the CJEU Mr Schrems’ latest challenge to the intercontinental transfer of EU personal data, casts a cloud of doubt over the long-term future of SCCs.
In this latest challenge (Schrems II), Mr Schrems argues that the use of SCCs are, in part, as equally invalid as the Safe Harbour protocols for similar reasons. The current SCCs have an inbuilt emergency clause whereby data flows can be terminated by the relevant local data protection authority, (in this case the Irish DPC), whenever there is a conflicting law in a foreign country.
In his submissions, Mr Schrems mirrors the position in the 2015 case, stating that US surveillance laws and practices (brought to light by the Snowden leaks) are incompatible with EU law, and therefore any company party to such laws should have their data flows suspended.
Schrems submitted that a ‘targeted solution’ was available when dealing with this issue and that the DPC, using the powers granted under the SCC’s, could stop the specified data sharing of Facebook (the subject of the complaint) only.
In its decision to refer to the CJEU however, the Irish High Court concurred with the submissions of the DPC. It was ruled that taking a targeted approach to Facebook alone did not go far enough to tackle the crux of the issue. The Court expressed that there were deeper, systematic issues at the heart of the SCC framework as a whole, and because of the potential EU wide implications of these issues, it was only appropriate to refer the case up to the CJEU.
With the case now in the hands of the CJEU and no definitive answer as of yet, the future of international data transfers under the SCC framework is now clouded by uncertainty.
As the argument is built upon the same groundwork of the previously successful Schrems I case, there is a real risk that the mechanism of the standard contractual clause could be held invalid and trigger a complete overhaul of the EU-US data flow framework.
The case also highlights the very real need for a EU-UK dataflow agreement to be reached in anticipation of Brexit (see our previous blog post here), due to the GDPR remaining silent on such issues.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.