Ireland to Ask EU Top Court About Data Transfer Clauses

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

May 25 — The use of standard contractual clauses (SCCs) by companies to legitimize their personal data transfers from the European Union to the U.S. will be referred to the European Court of Justice, Ireland's Office of the Data Protection Commissioner said May 25.

A ruling finding that SCCs fail to adequately protect the privacy of data from the EU would undermine one of the primary fall-back legal mechanisms used by companies in the wake of the invalidation of the U.S.-EU Safe Harbor framework, which had been relied on by over 4,400 U.S. companies and thousands of EU companies.

The ECJ invalidated the Safe Harbor in October 2015 on the basis that it was inadequate to protect the privacy rights of EU citizens, in particular in the face of possible law enforcement access to their data in the U.S. (14 PVLR 1825, 10/12/15). After months of negotiations, EU and U.S. negotiators agreed to a framework to replace the Safe Harbor—the EU-U.S. Privacy Shield (15 PVLR 269, 2/8/16).

SCCs are model contracts put in place between EU and non-EU data controllers, or between controllers and processors, that stipulate data processing standards in line with EU data protection law. The use of SCCs is permitted by European Commission decisions.

Ireland's Office of the Data Protection Commissioner told Bloomberg BNA May 25 that it had an “intention to seek declaratory relief in the Irish High Court and a referral” to the ECJ “to determine the legal status of data transfers under standard contractual clauses.”

The decision to refer SCCs to the ECJ was a further follow-up to the complaint made to the Irish data protection authority by Austrian privacy activist Max Schrems about Facebook Inc.’s transfer of personal data to the U.S.

It was Schrems' complaint to the Irish DPA in 2013 that ultimately led to the invalidation of the Safe Harbor framework.

Continued Uncertainty

Schrems' group, Europe Versus Facebook, said May 25 that since the invalidation of Safe Harbor, Facebook Ireland Ltd. had relied on “a contract between Facebook Ireland and Facebook USA” that incorporates SCCs, to enable its trans-Atlantic data transfers.

The use of SCCs “did not change the underlying problem of applicable U.S. mass surveillance laws and the lack of legal redress in the United States, especially for foreign nationals,” Europe Versus Facebook said.

One reason for the ECJ's invalidation of Safe Harbor was that it didn't include sufficient redress options for EU citizens that might be subject to U.S. government surveillance of their data.

EU DPAs have so far said that SCCs and binding corporate rules (BCRs) can continue to be used as a basis for transfers to the U.S., while talks on a new mechanism for transfers—the Privacy Shield—are ongoing.

However, Peter Van Dyck, a senior associate with Allen & Overy LLP in Brussels, told Bloomberg BNA May 25 that there was a “quite high likelihood” that the ECJ would invalidate SCCs on similar grounds to the invalidation of Safe Harbor. If SCCs are invalidated, it “probably means that BCRs won't work either,” Van Dyck said.

Laura De Boel, a senior associate with Wilson Sonsini Goodrich & Rosati in Brussels, told Bloomberg BNA May 25 that “at this stage, unfortunately, there is no bullet-proof permanent legal solution to transfer personal data outside of the EU.”

Risk to Privacy Shield?

According to Van Dyck, raising questions over the validity of SCCs was “a logical legal step, but it's not a very pragmatic approach,” and would mean “limbo for quite some time” for companies.

He added that it was also “very likely that the Privacy Shield will be challenged,” meaning ongoing uncertainty for companies over their data transfer options to the U.S.

The European Commission, the European Union's executive arm, Feb. 29 issued a draft decision approving Privacy Shield (15 PVLR 462, 3/7/16). Privacy Shield includes a mechanism for EU citizens to submit complaints if they feel their privacy rights have been violated in the context of government access to data, but has nevertheless been criticized as still falling short of the standard required by the ECJ ruling that invalidated Safe Harbor (15 PVLR 825, 4/18/16).

Facebook said May 25 that the referral of SCCs to the ECJ would be “relevant to many companies operating in Europe.”

The referral would have “no immediate impact for people or businesses who use our services,” and in addition to SCCs, “Facebook has other legal methods in place to transfer data between countries,” the company said.

De Boel said that in the Safe Harbor case, it took the ECJ about a year to pass judgment after the Irish High Court's referral, and a ruling on SCCs could take a similar amount of time, once the referral is finalized.

“In the meantime, the Art. 29 Working Party will hopefully provide some clarity regarding the different data transfer instruments,” De Boel said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com