European Union: Looming Ruling On EU Data Transfer Rules Carries Potentially Serious Implications

In Short

The Situation: The European Court of Justice ("ECJ") is to rule on the validity of EU Standard Contractual Clauses used by companies to transfer personal data outside of the European Union, at the request of Ireland's High Court.

The Impact: If the ECJ invalidates EU Standard Contractual Clauses used by thousands of firms each day to transfer personal data to third-party countries outside the European Union, it would have major disruptive effects for companies.

Ireland's High Court issued a key decision on October 3, 2017, referring a preliminary ruling to the ECJ, asking it to determine whether data transfer agreements based on EU Standard Contractual Clauses, used by businesses to transfer personal data, are in compliance with EU data protection law.

Two years ago, the Schrems decision (C-362/14) led to invalidating the U.S.–EU Safe Harbor Framework and forced companies to choose another data transfer mechanism, such as EU Standard Contractual Clauses, for transferring personal data outside the EU. Now, the ECJ is asked once again to rule on the validity of an international data transfer mechanism.

EU Standard Contractual Clauses are model contracts, as provided in the European Commission's decisions 2001/497/EC, 2004/915/EC, and 2010/87/EU, which constitute a valid legal basis for transferring personal data outside of the European Union. The EU Standard Contractual Clauses are designed to protect the personal data of EU individuals, where such data is to be transferred to a country whose laws do not provide for an adequate level of protection as required by EU data protection law.

After the invalidation of the U.S.–EU Safe Harbor Framework, many U.S.-based companies with operations located in the European Union began to rely on these model contracts to continue transferring personal data to the United States.

In the so-called Schrems II case, Maximilian Schrems, a law student and privacy activist, once again filed a complaint with the Irish data protection authority against Facebook's transfer of his personal data to the United States under data transfer agreements based on EU Standard Contractual Clauses. Schrems's current complaint closely resembles his 2015 claim, which led to invalidating the U.S.–EU Safe Harbor Framework. Schrems argues that the EU Standard Contractual Clauses do not constitute an adequate level of protection of his personal data, as they lack safeguards against U.S. government surveillance and therefore violate Articles 7, 8, and 47 of the EU Charter of Fundamental Rights.

Indeed, EU Standard Contractual Clauses, like the U.S.–EU Safe Harbor Framework, do not foresee specific safeguards in relation to U.S. government surveillance, and it is questionable whether the Ombudsperson mechanism established under the EU–U.S. Privacy Shield Framework will suffice to remedy such concerns. Since the U.S.–EU Safe Harbor Framework was found to be invalid, particularly because of these surveillance issues, it seems likely that the ECJ may invalidate the EU Standard Contractual Clauses for similar reasons, with far-reaching implications for businesses that must transfer data from the European Union to third-party countries.

For now, data transfer agreements based on EU Standard Contractual Clauses remain in force. However, if they are invalidated, businesses will have to rethink their strategy regarding international data transfers. The impact of such invalidation on Binding Corporate Rules, which present yet another data transfer mechanism, remains to be seen. The unfolding Schrems II case is a reminder that the issue of international data transfers will continue to raise questions and challenges for companies and their data protection compliance programs.

The ECJ's ruling in Schrems II may be anticipated in the course of 2018 and may well happen after the EU General Data Protection Regulation ("GDPR") becomes applicable as of May 25, 2018. This could add another interesting twist to the story, as the broader territorial reach of the GDPR may help to alleviate some of the concerns raised.

Three Key Takeaways

1. Schrems II indicates that international data transfers will continue to cause concerns and raise questions for companies and their compliance programs.
2. With the U.S.–EU Safe Harbor Framework ruled invalid, largely due to surveillance issues, it is probable that the ECJ may nullify the EU Standard Contractual Clauses for similar reasons.
3. For the time being, data transfer agreements based on EU Standard Contractual Clauses remain in force. Should they be invalidated, businesses will have to revisit their international data transfer strategies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.