The Standard Contract Clauses under fire?

13.11.2017

In the recent case between the Data Protection Commissioner vs Facebook Ireland ltd and Maximillian Schrems of October 3rd 2017, Maximillian Schrems has raised the issue before court as to the validity of the Standard Contract Clauses decisions with respect to data transfers from the European Economic Area to the United States in the light of Article 7 (respect for private and family life), Article 8 (protection of personal data) and Article 47 (right to an effective remedy and to a fair trial) of the Charter of Fundamental Rights of the European Union.

The Data Protection Commissioner has requested the Irish Commercial High Court to make a reference to the Court of Justice of the European Union. In its (152 pages long) judgment, the Irish Commercial High Court agrees with the Data Protection Commissioner that the central issue of the validity of the Standard Contract Clauses decisions can only be resolved by the Court of Justice of the European Union. The Irish Commercial High Court believes that: 

“O. 331 […] there is a strong argument that Article 4 of the Standard Contract Clauses does not provide the answer to the concerns raised by the Data Protection Commissioner in relation to the remedial regime in the United States.”

“O.333 I have formed the view that I concur with the Data Protection Commissioner that there are well founded grounds for believing that the Standard Contract Clauses decisions are invalid […]”

The Data Protection Commissioner has conducted a review of the remedies available for breach of data protection rights in US federal law and arrives at the conclusion that effective remedies are not available under United States law to European Union citizens (whose data is transferred to the US). The Data Protection Commissioner believes that data of European Union citizens transferred from the European Union to the United States can be assessed and processed by United States State agencies for national security purposes in a manner which is incompatible with such European Union citizens’ fundamental rights to respect for their private and family life and protection of their personal data. The Data Protection Commissioner also believes that the Standard Contract Clauses decisions do not have safeguards in place which repair such deficiency because the Standard Contract Clauses decisions are not binding on any US government agency or other US public body. The Irish Commercial High Court concurs with the Data Protection Commissioner that Article 4 of the Standard Contract Clauses decisions does not (nor the introduction of the Privacy Shield Ombudsman mechanism) remedy the lack of effective remedies under US law to European Union citizens:

“O. 334 […] Neither the introduction of the Privacy Shield Ombudsman mechanism nor the provision of Article 4 of the Standard Contract Clauses decisions eliminate the well-founded concerns raised by the Data Protection Commissioner in relation to the adequacy of the protection afforded to the EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States.”

The exact questions to be referred by the Irish Commercial High Court to the Court of Justice of the European Union for a preliminary ruling are still to be determined by the Irish Commercial High Court.

In an earlier case Maximillian Schrems questioned the validity of the Safe Harbour decision with regard to the transfer of his data by Facebook from Ireland to the United States, in particular in the light of E. Snowden’s disclosures of large scale surveillance programs operated by the United States National Security Agency (PRISM and UPSTREAM). Resulting in a judgment rendering the Safe Harbour decision invalid (6th of October 2015). Hence the subsequent enactment of the Privacy Shield.

The European Commission has recently (18th of October 2017) published its evaluation report on the Privacy Shield. Although the European Commission suggests recommendations to the current Privacy Shield, it states that the Privacy Shield continues to ensure an adequate level of protection. One of these recommendations is to enshrine the protection for non-Americans, such as the citizens of the European Union, as offered by the Presidential Policy Directive 28 issued in 2014 regarding limitations and safeguards on the use of personal data by American national security authorities:

“The U.S. authorities have put in place the complaint-handling and enforcement mechanisms and procedures to safeguard individual rights. This includes also the new additional redress avenues for EU individuals such as the arbitration panel and the Ombudsperson mechanism. Regarding the latter, an Acting Ombudsperson was designated following the change of Administration in January 2017, whereas the nomination of a permanent Ombudsperson is pending. Cooperation with European data protection authorities has been stepped up. As regards access to personal data by public authorities for national security purposes, relevant safeguards on the U.S. side remain in place, notably those based on Presidential Policy Directive 28 issued in 2014 which sets out limitations and safeguards on use by national security authorities of personal data, regardless of nationality of the individual. In this context, it should also be noted that section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) is set to expire on 31 December 2017 and that reform proposals are under discussion in the U.S. Congress.” 

It is to be noted that the Irish Commercial High Court in its judgment of 3th of October 2017 has not rendered the Standard Contract Clauses decisions invalid. This is to be decided by the Court of Justice of the European Union. If, however the Court of Justice of the European Union would render these decisions invalid, this would have a major impact on all companies currently relying upon Standard Contract Clauses decisions to transfer data of European Union citizens from the European Union to the United States. 

Read the judgment of the Irish Commercial High Court here.

 

Article provided by Irvette Tempelman, Attorney-at-law, Cordemeyer & Slager / advocaten – CS Law

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.