Following the “Safe Harbour” decision, this landmark court case in the field of data protection enters into its second stage, as the proceeding continues before the Irish High Court. This proceeding may very well result in a decision rendering the EU Standard Contractual Clauses (“SCCs”) void. This could severely impact any Bank, credit card scheme or other financial or Fintech company.
Table of Contents
EU Standard Contractual Clauses: The story so far
The “Safe Harbour” case originally arose from complaints made by Maximilian Schrems, an Austrian lawyer, author and privacy activist, to the Irish Data Protection Commissioner (“DPC”) on 25 June 2013 concerning the transfer of data, by Facebook Ireland Limited to its US parent company, Facebook Inc., which at the time took place under the “Safe Harbour” regime. “Safe Harbour” was established in 2000 by way of an EU Commission decision which deemed the US to have an adequate level of data protection provided that the US parties involved in personal data transfers from the EU to the US adhered to the standards set by the Safe Harbour regime. After the DPC refused to investigate the complaint and Mr. Schrems took the case to the Irish courts, the Irish High Court referred the issue to the Court of Justice of the European Union (“CJEU”). On 6 October 2015, the CJEU ruled that the “Safe Harbour” scheme was invalid.
Following that decision, Mr. Schrems’ proceedings were returned before the Irish High Court, which made a court order forcing the DPC to investigate the original complaint of 25 June 2013. Meanwhile, Mr. Schrems had also reformulated his complaint to take account of the CJEU’s “Safe Harbour” decision, which now also included Facebook’s use of SCCs to authorise EU to US data transfers.
SCCs examined by the Irish High Court
On 24 May 2016, the DPC issued a draft decision which found that Mr Schrems raised “well-founded” objections, holding a “preliminary view” that using SCCs did not provide the level of protection necessary. However, the DPC was of the opinion that without a court ruling on the validity of the SCCs they could not continue with the investigation. As a result, the DPC in 2016 commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and a preliminary reference to the CJEU on this issue.
The DPC is now actively taking steps to have the EU Standard Contractual Clauses (“SCCs”) examined by CJEU. The proceedings commenced before the High Court on 7 February 2017 and they are scheduled to run for approximately three weeks.
Why the SCCs may be void
Taking into account the Irish High Court’s earlier reasoning why the “’Safe Harbour” case had to be referred to the CJEU, one should not be surprised to find that the Irish High Court will again decide that the CJEU should also decide on the fate of the SCCs.
Also, based on the reasoning of the CJEU in “Safe Harbour”, one can conclude that the SCCs are also not a sufficient justification for a transfer of personal data into the USA. In its “Safe Harbour” decision, the court reasoned that the personal data was not adequately protected from being accessed by the local (US) authorities, and that data subjects had no (effective) rights to be informed about or even object such use.
Similarly to “Safe Harbour”, the SCCs are also based on a decision of the EU Commission. However, between the parties involved, the SCCs are just civil law contracts between private entities, and are not binding for the public authorities of the country (e.g. USA authorities) where the data exporter resides. After all, the “Safe Harbour” agreement, while considered insufficient by the CJEU, was a result of negotiations with the US Government.
Far reaching consequences
A decision that renders the SCCs void would not only make EU-US data transfers much more difficult, but would impact all data transfers to Non-EU countries, including top outsourcing locations such as Vietnam and the Philippines or IT hotbeds such as India.
Obviously, this would also severely impact any Bank, credit card scheme or other financial or Fintech company relying on services provided by Non-EU service providers, involving cross (EU) border data flows, or simply the use of programmers located outside the EU.
EU Privacy Shield and the Umbrella Agreement
As a result of the “Safe Harbour” decision, the USA and the EU were, relatively speaking, quick to create the so-called EU Privacy Shield, which stipulates stricter-than-ever-before rules on the handling and processing of personal data from the EU by US entities. While it offers much improved protection of personal data if compared to “Safe Harbour”, it still fails to address a key issue raised by the CJEU in “Safe Harbour” – the need to protect EU personal data from access by the US authorities. In this context, the recently ratified “Umbrella Agreement” between the EU and the US may play an important role and have influence on the court’s decision. This international treaty between the USA and the EU was actually “ready to sign” shortly before the “Safe Harbour” decision am provides (or, as some critics say, purports to provide but fails to do so) EU citizens certain rights against US authorities’ access and use of their personal data.
And then there is another “known Unknown”
A big question – or to paraphrase Donald Rumsfeld, a “known Unknown” – are the plans of the new US administration concerning the future of the EU Privacy Shield. The highly debated presidential order on immigration contains a paragraph which raised concerns that the US administration might want to unilaterally revoke the Umbrella Agreement and/or EU Privacy Shield. It remains to be seen if these concerns prove to be true – and also how this will impact the first annual review of the EU Privacy shield scheduled for mid 2017.