The Case of Standard Contractual Clauses: The Irish Data Protection Commissioner & Max Schrems

“The supervisory authorities should have the power to prohibit or suspend a data transfer or a set of transfers based on the standard contractual clauses in those exceptional cases where it is established that a transfer on contractual basis is likely to have a substantial adverse effect on the warranties and obligations providing adequate protection for the data subject.”  2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council

On 31 May 2016 the case of the Irish Data Protection Commissioner began in the Irish High Court with reference to the Court of Justice of the European Union (CJEU) and Standard Contractual Clauses that currently allow for personal data to be lawfully transferred from Europe to third countries that do not ensure an “adequate” level of protection for personal data.

The case stems from Schrems’ 2013 complaint concerning data transfers between Facebook Ireland and Facebook Inc. following Edward Snowden’s revelations of American mass surveillance. As a result of the Case, in fall of 2015 the CJEU invalidated Safe Harbor and ruled that the Irish Data Protection Commissioner was obliged to investigate Schrems’ complaint.

Following the invalidation of Safe Harbor in Case C‑362/14, Facebook started to use Standard Contractual Clauses, or SCCs, to transfer data from Europe to the United States which triggered Schrems to file an updated compliant which fundamentally argued that Standard Contractual Clauses cannot lawfully permit international data transfers in the case of Facebook as it is subjected to mass surveillance which is in violation of the Charter of Fundamental Rights of the European Union. In his complaint Schrems requested that the Irish Data Protection Commissioner suspend the data transfers in light of the provisions in the Standard Contractual Clauses which permit competent authorities to suspend data flows to third countries.

The Irish Data Protection Commissioner commenced its investigation following the Irish High Court Order of 20 October 2015, which was followed by issuing a draft decision stating that Schrems’ complaint was well-founded and that the office intended to “seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses”.

The Irish DPC has expressed specific doubts in relation to the Articles 7 (the right to respect for private and family life, home and communications), 8 (establishing the right of every person to protection of their personal data) and 47 (the right to an effective remedy where rights and freedoms guaranteed by EU law are violated) of the Charter of Fundamental Rights of the European Union and the original CJEU Schrems ruling. Furthermore, the Irish DPC stressed that SCCs do not “address the CJEU’s objections concerning the absence of an effective remedy compatible with the requirements of Article 47 of the Charter as outlined in its judgment of 6 October 2015, nor could they;” and that “the SCCs themselves are therefore considered likely to offend against Article 47 insofar as they purport to legitimize the transfer of the personal data of EU citizens to the US.” 

On 7 February 2017 the Irish High Court began to hear the case. We should know the results of the case sometime later this month.

We now wait to see if the Irish High Court will agree with the Irish DPC and refer the case to the CJEU. The transfer of personal data is unstoppable given that it is one of the core elements of both the digital economy and social life. It is the duty of competent Authorities and the Judiciary to assure that personal data protection rights are respected by the entities involved in the data transfer/process. This holds true for any transfer of personal data, being it to the US or to other third countries that do not ensure an “adequate” level of protection and for any legal basis for transferring personal data, e.g., SCC, Safe Harbor, BCRs, etc.

It is a social and economic responsibility for the Judiciary involved in this case to respect the rules of law and to focus on upholding the highest standard of data protection, maintaining full impartiality and avoiding to be dragged into what sometimes seems to be more an economic-driven case than a true fundamental-right case.

Comments are closed.