Are Model Contract Clauses (or “Standard Contract Clauses” – SSCs) valid under EU data protection law?
Irish High Court asks CJEU to rule on validity of Model Contract Clauses (Schrems II)
After successfully bringing down the US-EU Safe Harbour in Schrems I – the ECJ ruling that the mechanism failed to provide the personal data of EU citizens with an effective level of protection – Max Schrems reformulated his complaint to the Irish Data Protection Commissioner (DPC) in order to take aim at SCCs, upon which the target of Schrems’ campaign, Facebook, had also relied.
Like the Safe Harbour and its successor, the Privacy Shield, SCCs are a mechanism approved by the European Commission that allows the transfer of personal data from the EEA to a jurisdiction that has not been deemed to have an “adequate” data protection regime (with the clauses directly requiring parties to maintain a minimum level of compliance).
Having conducted an investigation into the reformulated complaint, the DPC applied to the High Court seeking a preliminary reference to the ECJ to consider the SCCs, as the ECJ had itself ruled in Schrems I that it had sole jurisdiction to strike down a Commission adequacy decision.
In a 152-page judgment, Ms Justice Costello decided to ask the ECJ to rule on the validity of SCCs, finding that, in particular, the DPC’s concerns over the availability of an effective judicial remedy under US law – as required by Article 47 of the Charter of Fundamental Rights of the European Union – were “well-founded”.
As with Schrems I, it was the mass processing of personal data by US security agencies that was at issue, with expert evidence suggesting that such processing by government agencies was “indiscriminate”, if not amounting to “mass surveillance”. This potential unlawful processing was thought to be compounded by restrictive rules on the standing of EEA citizens to bring cases before US courts.
As the SCCs themselves contain no terms to address these sorts of concerns, their validity is called into question. In particular, the Court is asking the ECJ to consider whether general provisions enabling a national data protection authority to ban or suspend data transfers to specific third countries (Article 4 of the SCCs) provide sufficient redress for data subjects to render the SCCs valid.
Why is this important?
Unlike many blockbuster sequels, Schrems II may yet have as big an impact as its predecessor. Like Facebook, many organisations rely on SCCs to transfer personal data between the EEA and other countries – particularly the US. If SSCs are struck down, companies will need to establish a new mechanism of transfer. It’s likely that new SCCs will be approved by the Commission to comply with GDPR, which could resolve the concerns.
The Privacy Shield also remains for the time being, but it may be in danger if it is decided that US conduct in relation to data surveillance means that SCCs cannot be relied upon.
Any practical tips?
For lack of a better alternative, there is little option other than to continue to use SCCs until the ECJ provides its ruling (likely in 12 to 18 months). The ECJ is still in the early stages of consideration. One hopes that data transfer landscape will not look considerably different by the time it finishes!