On the 3rd of October 2017, in the case commonly known as “Schrems 2” (Irish Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems), the Irish High Court referred a challenge to the validity of EU Standard Contractual Clauses (“SCCs”) to the Court of Justice of the European Union (“CJEU”).
Personal data cannot be transferred to third countries by EU/EEA entities unless there are adequate safeguards to protect the personal data transferred. SCCs are one of the options which may legitimize such transfers – they are model contractual clauses which have been approved the European Commission as providing the required adequate safeguards when transferring data to third countries (including the US).
Mr Schrems, a privacy activist who had previously successfully challenged the legitimacy of the now invalid EU-US Safe Harbor framework in the “Schrems case”, requested the Irish Data Protection Commissioner (“IDPC”) to rule that SCCs do not provide sufficient safeguards when personal data of European data subjects is transferred from the EU to the US. The IDPC referred the matter to the Irish High Court and contended that SCCs do not provide adequate protection and that personal data of EU data subjects may be at risk of being access by US law enforcement agencies in a manner which is incompatible with the EU Charter of Fundamental Human Rights. The Irish High Court ruled that there are “well founded concerns” about the protection of personal data exported to the US in virtue of SCCs and referred the case to the CJEU for a preliminary ruling on the validity of SCCs.
No date has been set for the CJEU’s ruling as at the date of writing and one can expect that the delivery of the CJEU’s preliminary ruling will take some time. Meanwhile, SCCs remain a valid mechanism to legitimize personal data transfers to third countries, including the US, although exploring other legitimizing avenues such as the EU-US Privacy Shield certification might be desirable.