TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Standard contractual clauses to be reviewed by CJEU Related reading: Model clauses in jeopardy with Irish DPA referral to CJEU



Irish High Court Judge Caroline Costello gave judgment today in the “unusual case” of Data Protection Commission v Facebook & Schrems. The issue before her was whether she should ask the Court of Justice of the European Union to consider the validity of three decisions of the EU Commission: 2001/497/EC of 15 June 2001, 2004/915/EC of 27 December 2004, and 2010/87/EU of 5 February 2010. These decisions enable transfers of EU personal data to controllers and processors outside the EU on the basis of standard contractual clauses. Costello concurred with the Data Protection Commissioner that, “there are well founded grounds for believing that the SCC decisions are invalid and furthermore that it is extremely important that there be uniformity in the application of the Directive throughout the Union on this vitally important issue.” Costello held that there were two options open to her:

  1. “Make the reference sought by the DPC to the CJEU”; or,
  2. “[R]efuse to make the reference and dismiss the proceedings as no other relief is sought. In that event the court in effect will be endorsing the validity of the decisions and require the DPC to conclude her investigation into Mr. Schrems’ complaint on the basis that the SCC decisions are valid.”

Costello picked the first option and decided to refer questions to the CJEU. However, those questions have not been referred as of yet. Instead, Costello has asked that the various parties before her to make submissions on the questions to be asked of the CJEU (something they had all asked for). Costello did hint at what those questions might be:

  1. Whether Irish High Court or the DPC or the court could be required to conduct a comprehensive adequacy analysis of U.S. laws and practices in relation to electronic surveillance on national security grounds;
  2. Whether the Irish High Court or the DPC needed to analyse the remedial regime provided by U.S. law (or that of another third country) to see whether this provided an adequate right to an effective remedy before an independent tribunal as required by the EU Charter of Fundamental Rights; and
  3. Whether it is arguable that limitations on the exercise of the right to an effective remedy before an independent tribunal for EU citizens whose data privacy rights are infringed by the intelligence agencies are not proportionate or necessary or needed to protect the rights and freedoms of others?

Costello then noted that neither “the introduction of the Privacy Shield Ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well-founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States.” She therefore proposed to refer the SCC decisions to the CJEU for a preliminary ruling. 

What will happen next?

The validity of the SCC Decisions is not under immediate threat. The DPC has stated this “decision does not invalidate the SCCs (nor the Privacy Shield); neither does it prohibit their continued use.” What will happen next is that Costello will take submissions from the parties before framing the questions to be asked of the CJEU on the basis of those submissions. These questions will then be referred to the CJEU, unless someone challenges the decision of Costello before the Irish Courts. Submissions may then be made to the CJEU, itself, and an opinion of that Court’s Advocate General may be given before the CJEU will answer questions it has been asked.

This process will take time. It may well stretch beyond May 25, 2018, at which point the General Data Protection Regulation (GDPR) will apply. Article 3 of the GDPR grants EU data protection laws a global jurisdiction. It may be that the conferral of a global jurisdiction upon EU data protection laws will address some of the concerns raised in Data Protection Commission v Facebook & Schrems. However, whether the CJEU considers this point may depend upon the questions that are asked of it and the submissions that are made to it.

Photo credit: Dublin (46) via photopin (license)

Schrems reacts

Following the High Court’s decision, Max Schrems posted this video response to Twitter:


Irish DPC reacts

The Irish Data Protection Commissioner published this statement following the High Court’s decision:

“The Commissioner welcomes the High Court’s judgment and its decision to refer a number of questions to the CJEU, as requested by the Commissioner.

“The transfer of personal data to the US under the standard contractual clauses mechanism (“SCCs”) raises important issues for the protection of EU citizens’ data protection rights. Now that the High Court has confirmed it shares the Commissioner’s concerns about the protection of those rights in the context of EU/U.S. data transfers, the Commissioner hopes these issues will be addressed by the CJEU as soon as possible to provide certainty for data subjects and controllers alike. In that context, the Commissioner acknowledges that many businesses rely on SCCs to transfer data from the EU to the U.S. It is important to note that today’s decision does not invalidate the SCCs (nor the Privacy Shield); neither does it prohibit their continued use for the purpose of data transfers to the US or elsewhere. Rather, it invites the CJEU to consider whether, under EU law, SCCs in their present form can and should be retained as a basis for the transfer of personal data from the EU to the U.S.”

1 Comment

If you want to comment on this post, you need to login.

  • comment Emma Butler • Oct 9, 2017
    The key fact that seems to have been missed is that the entire point of SCC is that they provide a transfer mechanism when the recipient organisation is in a non-adequate country! They are not the same as Privacy Shield. Every government in the world carries out surveillance but the SCCs contain obligations on the sending and receiving organisations to protect the data precisely because the destination country laws  cannot be relied on in and of themselves. The question to the CJEU should be about whether the obligations and safeguards in the SCC are enough and appropriate given they are to be used in situations where the destination country has not been found adequate. Companies cannot start having to consider the surveillance regime and access to justice system for every single country without an adequacy decision!  Companies will be using SCC to transfer data to other companies in China and Russia - where are the howls of protest about that?!