Greetings from London!
This week’s big news emanates from the Emerald Isle, where an Irish High Court judge has asked the Court of Justice of the European Union to determine the validity and legality of European Commission decisions approving EU-U.S. data transfer mechanisms used by the likes of giant tech companies, such as Facebook, Apple and Google.
The case is very significant and potentially has huge implications on trade worth billions of euros across the Atlantic. Not to mention the impact on the data privacy rights of millions of EU citizens, as well as their security. The case hinges predominantly on whether the transfer mechanisms in place afford sufficient protection from the prying eyes of U.S. intelligence and surveillance agencies for people in the EU.
Irish High Court Judge Caroline Costello said in relation to her decision, “European Union law guarantees a high level of protection to EU citizens ... they are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area.”
Facebook and the U.S. government had opposed the Irish Data Protection Commissioner’s application for a referral to the CJEU, but the judge agreed to refer, concurring with Irish Commissioner Helen Dixon that there are “well founded” grounds for believing European Commission decisions of 2001, 2004 and 2010 approving the data transfer mechanism known as standard contractual clauses might be invalid. The crux of the concern surrounds the potential absence of an effective remedy in U.S. law compatible with the requirements of Article 47 of the (EU) Charter of Fundamental Rights. The judge went on to say that the newly created U.S. ombudsman dealing with European complaints about surveillance did not eliminate concerns, adding that judicial remedies “are few and far between and certainly not complete or comprehensive.” Costello did state, however, that she was not delivering any value judgment on either EU or U.S. data protection laws.
We have extensive coverage below on what Costello said, what it means, and what the future might hold.
In a statement issued by her office, Commissioner Dixon said she hoped these issues will be addressed by the CJEU as soon as possible to provide certainty for data subjects and controllers alike. In that context, the Commissioner acknowledges that many businesses rely on SCCs to transfer data from the EU to the U.S. It is important to note that today’s decision does not invalidate the SCCs (nor the Privacy Shield), nor does it prohibit their continued use for the purpose of data transfers to the U.S. or elsewhere.
“Uncertainty” is putting it mildly. If the CJEU were to rule against the common legal arrangements used by thousands of firms to transfer personal data outside the EU, this could cause major panic among companies as they look for alternative transfer mechanisms. In reality, millions of these transfers happen every hour of every day, including credit card transactions, hotel and transportation bookings, or even moving employee data between countries. Day-to-day business practices would be heavily impacted.
What’s next? I spoke to Kate Colleary, CIPP/E, from Colleary & Co. law firm and co-founder of privacy consulting company Frontier Privacy. She said the Irish High Court will now hear submissions from all parties on the content and format of the questions to be put to the CJEU. How these questions are phrased is likely to be subject to intense scrutiny and lengthy legal submissions. Once the submissions are made, the Irish Court will draft the final version of the questions to be put to the CJEU and refer the case to that court for a decision. Colleary added that the CJEU is likely to consider the case law to date, the facts as set out in the Snowden revelations, and the ongoing concerns about U.S. agencies’ alleged ability to indiscriminately access personal data of European citizens.
The process is likely to take at least another 18 months to conclude. In the meantime, SCCs and Privacy Shield certifications remain valid. Organizations will continue to rely on those methods to lawfully transfer data to the U.S., but we should expect everyone to be eyeing possibilities for alternative solutions.