Legality of Standard Contractual Clauses (SCC’s) hangs in the balance awaiting decision by CJEU

Ireland’s High Court has just ruled today (Tuesday 3 October 2017) that the decision to ban the use of Standard Contractual Clauses (SCC) by social media giants like Facebook, Microsoft and Google to transfer users’ personal data to the US must be initially decided by the Court of Justice of the European Union (CJEU).

Giving her judgment in open court, Irish High Court Judge Caroline Costello said: “I have decided to ask the Court of Justice for a preliminary ruling. European Union law guarantees a high level of protection to EU citizens…they are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area.”

This of course looks like a spooky re-run of the Safe Harbor legal action brought by Max Schrems that resulted in the CJEU declaring that mechanism to be unworkable back in October 2015.

Judge Caroline Costello was probably sensitive to the comparisons that could be drawn with this case with what happened back in 2015 and was at pains to point out she wasn’t delivering any value judgment on the data protection laws of the European Union or the United States by referring this matter to the highest court in Europe for adjudication.

Judge Costello said she would now hear submissions from the parties about the questions to be referred to the CJEU and the matter will be mentioned in the Irish High Court again in a week’s time when a date will be set for those submissions.

Outside court, Max Schrems declared himself pleased with the referral to the CJEU.

Background to this legal action

This case arose from complaints made by Max Schrems to the Irish Data Protection Commissioner (DPC) on 25 June 2013 concerning the transfer of his personal data by Facebook from the EU to the US.

The complaint followed the Snowden disclosures that revealed evidence of surveillance by the US National Security Agency of certain internet and telecommunications systems operated by companies including Facebook, Microsoft and Google.

Schrems was concerned that his personal data may have been accessed by the US State Security Agencies without his consent because his personal data was being transferred from Facebook to its US parent company, Facebook Inc, under the previous Safe Harbor rules.

The DPC declined to investigate Schrems’ complaint, finding its hands were tied under existing national and EU laws to apply Safe Harbor rules.

Schrems then applied to the Irish High Court for a judicial review of the DPC’s decision.

On 18 June 2014, Justice Gerard Hogan delivered his judgment, holding that the essential question for determination was whether the DPC was bound by the EU Commission’s decision on the Safe Harbor regime regarding the adequacy of data protection law and practice in the US. The Irish High Court referred the issue to the CJEU because it didn’t have authority to make such a ruling.

On 6 October 2015, the CJEU in Maximillian Schrems v Data Protection Commissioner (Case C 362/14) ruled that the Safe Harbor scheme was invalid.

On 20 October 205, Schrems’ proceedings were returned before the Irish High Court and the decision of the CJEU was implemented through a High Court order that set aside the decision by the DPC not to investigate Schrems’ complaint of 25 June 2013.

One nil to Schrems. But it wasn’t over yet.

The High Court then remitted Schrems’ original complaint back to the DPC for further investigation. The DPC subsequently opened an investigation into Schrems’ original complaint but he subsequently re-formulated his complaint to take account of the fact that the Safe Harbor scheme was deemed invalid.

His argument was now based on Facebook’s use of Standard Contractual Clauses (SCC’s) in order to authorise EU to US personal data transfers.

On 24 May 2016, the DPC issued a draft decision which found that Schrems raised “well-founded” objections. Perhaps they were now coming around to Schrems point of view or were worried of suffering another reversal?

Either way, the DPC formed a preliminary view that using SCC’s didn’t provide the level of protection necessary for EU Data Subjects and that there were “deficiencies” in the rights of EU citizens to access remedies under US law for any breach of their data protection rights.

The messages coming from President Donald Trump in the White House made this even more unsettling as well as his fondness for using Twitter as a channel for foreign policy on the hoof.

The DPC, having been bruised before, was now cautious of not wanting to make the same mistakes all over again and said it couldn’t complete the investigation without a ruling on the legal validity of SCC’s.

As a result, the DPC commenced legal proceedings in the Irish High Court seeking a legal clarification as to the validity of the EU Commission decisions concerning SCC’s and a Preliminary Reference to the CJEU on this issue.

In light of the potential implications of this case, a number of international amicus curiae or friends of the court applied to be joined to the proceedings. On 19 July 2016, the High Court ruled that four of the ten parties be joined to the proceedings as friends of the Court.

As a result, the US government, Business Software Alliance, the Electronic Privacy Information Centre and Digital Europe were allowed to make representations to the Court in relation to the proceedings.

The US government was seeking to claim that “significantly enhanced” protections have been put in place in recent years to ensure the privacy rights of EU citizens and warned of the “sweeping” commercial ramifications should the CJEU find that the SCC’s offer inadequate protection which could also undermine international co-operations to confront common threats.

Such warnings clearly fell on deaf ears and the Irish Court granted the motion of the DPC to refer the matter to the CJEU.

Data protection and privacy lawyers in every law firm and every client in the EU and beyond now await the decision with anticipation and perhaps trepidation.

In the meantime, last week a delegation from the European Commission had been warming up relations with the US Department of Commerce and others on the other side of the Atlantic in order to keep the wheels turning on the Privacy Shield bandwagon as it continues to gather momentum – albeit very slowly – as many global organisations currently prefer to rely on SCC’s as a mechanism for international personal data transfers.

It would be presumptuous to assume SCC will suffer the same fate as Safe Harbor before it– but given the political climate around data protection and privacy right now, anything is possible.

For information about the GDPR Transition Programme at Henley Business School, click here.

Leave a reply