Yesterday, the Irish High Court ruled on a case of high importance for international data flow and trade between EU and the rest of the world. The judgement from the Irish High Court concerns the validity of the European Commission’s decisions commonly known as standard contractual clauses (SCCs) regarding adequate protection for personal data transferred to a data controller or processor outside of EU/EEA.
What are the SCCs?
It is not allowed to transfer (including allowing access to) personal data from the EU/EEA to a country located outside of the EU/EEA, unless certain legal safeguards are in place. The SCCs may serve as such safeguard for entities intending to transfer personal data outside of the EU/EEA – they need to complete the relevant appendices of the SCCs and attach the SCCs to their contracts where data is transferred outside the EU/EEA.
There are controller-to-controller and controller-to-processor standard contractual clauses issued by the European Commission (see here). The undertakings in the SCCs provides enforceable rights to individuals once their data is transferred outside the EU/EEA. Due to their relative simplicity, SCCs have been extensively relied on in international business.
This judgment from the High Court follows a previous high profile case that was referred by the High Court to the Court of Justice of the European Union (CJEU) where an Austrian lawyer named Max Schrems, following the Snowden revelations, filed a complaint about data transfers by Facebook Ireland to the US. The CJEU declared the Safe Harbor scheme invalid.. After the CJEU-judgment Facebook among many other U.S.-based companies, switched to using the SCCs. Schrems then filed a second complaint, claiming that the Data Protection Commissioner should have stopped the transfer under the SCCs based on the CJEU judgement regarding his first claim. The commissioner wanted the Irish Court to refer the issue to the CJEU before finalizing the decision on Schrems’ complaint.
The decision and its possible implications
The Irish High Court, in its judgement (available here) decided to refer the case to the CJEU to decide on the validity of the SCCs. However, the actual questions that will be addressed to the CJEU will be formulated by the Irish court in the coming days, i.e. the actual scope of the possible consequences is yet to be seen. Nevertheless, the fact that the validity of the SCCs, the most widely used safeguards to make third country data transfers lawful, will be challenged before the EU’s court brings along possible instability within international data transfers and hence in international trade.
The most stable safeguard for data transfers outside the EU/EEA is still the binding corporate rules, however, they only apply to third country data transfers taking place within a group of companies. It is possible that more and more companies will consider adopting the binding corporate rules concerning their privacy practices. The binding corporate rules require a long and costly process, as the approval of data protection authorities is necessary, however, it can also be utilised as a process where the company’s compliance with applicable privacy rules, such as the GDPR, is ensured.