By Joseph Jones and Ruth Scoles Mitchell
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v Facebook Ireland Limited [2016 No. 4809 P.] to the Court of Justice of the European Union (“CJEU”). The case, commonly referred to as Schrems II, is based on a complaint by Max Schrems concerning the transfer of personal data by Facebook, from Ireland to the United States, using the EU Standard Contract Clauses (“SCCs”).
The SCCs are a European Commission-approved mechanism to legally effect the transfer of personal data from the EEA to third (non-EEA) countries. The SCCs provide for a contractual arrangement between a EEA-based data exporter and a non-EEA-based data importer of personal data, under which the data importer agrees to abide by EU privacy standards.
Mr Schrems complained to the Irish Data Protection Commissioner (“the DPC”) about Facebook’s reliance on the SCCs to transfer personal data between Facebook Ireland Ltd and Facebook Inc., i.e., from Europe to the United States. The DPC argues that it cannot complete the investigation into Mr Schrems’ complaint without first obtaining a ruling of the CJEU on the validity of the SCCs. Accordingly, the Irish DPC filed an action with the Irish High Court seeking a reference to the CJEU as to the validity of the SCCs in light of U.S. laws and practices — in particular the purported lack of legal redress available to EU citizens whose data is being processed by U.S. intelligence. Accordingly, the DPC raises the concern that the SCCs do not guarantee certain rights that exist under the EU Charter of Fundamental Rights (principally, the right to an effective remedy and to a fair trial (Article 47) but also the rights to privacy (Article 7) and data protection (Article 8)).
In a lengthy judgment, the Irish High Court concluded that the Irish DPC had “well-founded concerns” relating to U.S. laws and practices and whether and how those laws and practices (in particular relating to the processing of data by U.S. law enforcement and intelligence agencies) are compatible with EU standards, in particular with the Charter. In making this determination, the High Court ruled that the EU guarantees a “high level of protection to EU citizens as regards the processing of their personal data within the EU” and that EU citizens “are entitled to an equivalent high level of protection when their personal data are transferred outside the EEA.”
The Irish High Court noted that “it is extremely important that there be uniformity in the application of the [Data Protection] Directive throughout the [European] Union on this vitally important issue. This requires that there be consistency and clarity.” As a result, the Irish High Court has decided to refer questions relating to the SCCs and how their validity may be affected by the doubts and concerns of the Irish High Court.
The exact wording of the questions to be referred has not been finalized. Before then, the Irish High Court will hear from the parties to the case as to the questions to be referred to the CJEU.
On average, CJEU referrals take between 15-20 months for a ruling. Until a decision to the contrary, the SCCs remain a valid means for the transfer of personal data from the EU to the United States and elsewhere.