Group chatting on bridge with sheep.

Are Model Contract Clauses (or “Standard Contract Clauses” – SSCs) valid under EU data protection law?

Published on 18 December 2017

Irish High Court asks CJEU to rule on validity of Model Contract Clauses (Schrems II)

The background 

After successfully bringing down the US-EU Safe Harbour in Schrems I – the ECJ ruling that  the mechanism failed to provide the personal data of EU citizens with an effective level of  protection – Max Schrems reformulated his complaint to the Irish Data Protection  Commissioner (DPC) in order to take aim at SCCs, upon which the target of Schrems’  campaign, Facebook, had also relied. 

Like the Safe Harbour and its successor, the Privacy Shield, SCCs are a mechanism  approved by the European Commission that allows the transfer of personal data from the EEA  to a jurisdiction that has not been deemed to have an “adequate” data protection regime (with  the clauses directly requiring parties to maintain a minimum level of compliance). 

Having conducted an investigation into the reformulated complaint, the DPC applied to the  High Court seeking a preliminary reference to the ECJ to consider the SCCs, as the ECJ had  itself ruled in Schrems I that it had sole jurisdiction to strike down a Commission adequacy  decision. 

The development 

In a 152-page judgment, Ms Justice Costello decided to ask the ECJ to rule on the validity of  SCCs, finding that, in particular, the DPC’s concerns over the availability of an effective judicial  remedy under US law – as required by Article 47 of the Charter of Fundamental Rights of the  European Union – were “well-founded”. 

As with Schrems I, it was the mass processing of personal data by US security agencies that  was at issue, with expert evidence suggesting that such processing by government agencies  was “indiscriminate”, if not amounting to “mass surveillance”. This potential unlawful  processing was thought to be compounded by restrictive rules on the standing of EEA citizens  to bring cases before US courts. 

As the SCCs themselves contain no terms to address these sorts of concerns, their validity is  called into question. In particular, the Court is asking the ECJ to consider whether general  provisions enabling a national data protection authority to ban or suspend data transfers to  specific third countries (Article 4 of the SCCs) provide sufficient redress for data subjects to  render the SCCs valid. 

Why is this important? 

Unlike many blockbuster sequels, Schrems II may yet have as big an impact as its  predecessor. Like Facebook, many organisations rely on SCCs to transfer personal data  between the EEA and other countries – particularly the US. If SSCs are struck down,  companies will need to establish a new mechanism of transfer. It’s likely that new SCCs will  be approved by the Commission to comply with GDPR, which could resolve the concerns.

The Privacy Shield also remains for the time being, but it may be in danger if it is decided that  US conduct in relation to data surveillance means that SCCs cannot be relied upon. 

Any practical tips? 

For lack of a better alternative, there is little option other than to continue to use SCCs until the  ECJ provides its ruling (likely in 12 to 18 months). The ECJ is still in the early stages of  consideration. One hopes that data transfer landscape will not look considerably different by  the time it finishes!