Data Protection: New Shadows Cast Over International Data Transfers
17 October 2017
Author: Erkko Korhonen
Legality of the Standard Contractual Clauses Referred to the CJEU
The Standard Contractual Clauses (the “SCCs” or the “EU Model Clauses”) have provided a mechanism for transferring personal data outside the EEA when incorporated into a contract between controllers or a controller and a processor. These model clauses have been adopted by the European Commission and there are three versions of them – from 2001, 2004 and 2010. The SCCs are meant to help businesses to lawfully transfer personal data from the EU to countries outside of the EEA.
However, on 3 October 2017, by a request from the Irish Data Protection Commissioner (the “Irish DPC”), the Irish High Court decided to refer the question of the validity of the SCCs to the Court of Justice of the European Union (the “CJEU”) for a preliminary ruling under Article 267 of The Treaty on the Functioning of the European Union. The Irish High Court stated that the SCCs raise “well-founded concerns” about the transfer of personal data to countries outside the EEA, particularly to the U.S., and that it is not within any national court’s competencies to decide on the validity of these clauses.
The case arose after Max Schrems, following his success in the CJEU’s landmark, the “Schrems Case”, in invalidating the Safe Harbour framework in October 2015 (see our newsletter), requested the Irish DPC to also declare the SCCs invalid under EU law. His complaint concerned Facebook’s transfer of personal data from Ireland to the U.S. on the basis of the 2010 version of the SCCs. The Irish DPC then referred the decision on the validity of the SCCs to the Irish High Court, which, in turn, referred the decision to the CJEU.
This “Schrems II” case is substantial, since it might significantly influence future data transfer from the EU to third countries and is thus relevant to all businesses currently relying on the SCCs. Nevertheless, a ruling by the CJEU could take as long as two years, so in the meantime, the SCCs are still valid and businesses can continue using them. However, it is wise to keep your eyes open and be mentally ready to adopt possible new data transfer solutions in the future.
First Year of the Privacy Shield
It has now been over a year since the Privacy Shield arrangement replaced the above-mentioned Safe Harbour framework to govern transfers of personal data between the EU and the U.S. Therefore, the European Commission and the U.S. Department of Commerce have completed their first annual review of the Privacy Shield. Even though the full report is not expected to be published until the second half of October, statements from Commission officials and European data protection authorities predict that the report will be favourable.
Conversely, prior to the annual review, many organisations have raised their concerns in relation to the Privacy Shield. It has been questioned whether the framework truly provides an adequate level of protection to personal data when transferred to the U.S., especially in connection with the bulk collection of data by U.S. authorities for surveillance purposes. It remains to be seen whether the Privacy Shield will eventually share the same fate as the Safe Harbour. Until proved otherwise, the Privacy Shield is still an applicable framework and businesses can rely on it. We at Hannes Snellman will keep you updated on the possible changes around this area.
If you have any questions about the EU-U.S. data transfers, please feel free to contact our data protection and privacy specialists at any time.