Second case involving complaint about personal data transfer to US
On 3 October 2017 the Irish High Court handed down judgment in a case brought by the Irish Data Protection Commissioner (“DPC”) relating to a complaint brought by Max Schrems about Facebook’s transfer of his personal data to the US.
This is the second case brought about by a complaint by Mr Schrems about personal data transfer and processing by Facebook. The first resulted in the 2015 decision of the Court of Justice of the European Union (“CJEU”) which struck down the Safe Harbour scheme. The Safe Harbour scheme, which came about by agreement between the EU and the US, allowed companies to self-certify that they would protect European personal data. The EU decided that those within the Safe Harbour scheme provided protection for personal data, which was “essentially equivalent” to the protection under the EU Data Protection Directive. This “adequacy decision” allowed EU companies to transfer personal data to US companies within the Safe Harbour scheme without breaching the 8th Data Protection Principle:
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
One of the key reasons why the CJEU struck down Safe Harbour was the requirements in US law allowing the US security agencies access to personal data, which took precedence over the Safe Harbour obligations. US public authorities were not, themselves, bound by Safe Harbour. Nor, the CJEU found, was there any effective remedy available to individuals for any interference with their rights.
In the absence of Safe Harbour, Facebook instead transferred personal data to the US on the basis of a contractual agreement between its Irish and US companies, which used the EU Commission-approved Standard Contractual Clauses. These provide another route for data controllers to comply with the 8th Data Protection Principle, with the company to whom the data is being transferred being under contractual obligations to provide adequate protection for the personal data. However, Mr Schrems again challenged this before the DPC who took the matter to the Irish High Court. The Irish High Court has now decided to refer the matter to the CJEU under the preliminary reference procedure.
In doing so the Irish High Court referred to the US legal regime allowing public authority and security agency surveillance of personal data, and to concerns over there being a lack of an effective remedy available to EU citizens. The DPC had formed the view that the standard contractual clauses did not address these issues. As only the CJEU can decide whether an EU measure is valid or invalid, she sought a preliminary reference from the High Court. The Court found that the DPC had raised well-founded concerns, and that a preliminary reference was appropriate. It also found that the existence of the EU Commission’s EU-US Privacy Shield Decision did not preclude it from doing so – a decision of the CJEU is required. “Privacy Shield” was designed to address some of the concerns raised by the CJEU in striking down Safe Harbour. Whether it has done so or not is a matter of much debate.
Whilst Standard Contractual Clauses remain a valid method of fulfilling obligations under the 8th Data Protection Principle when transferring personal data to the US for now, the CJEU case will be one to watch. How contractual provisions could solve the issue of US security agency surveillance of personal data transferred from the EU (when US statutory provisions take precedence over any contractual provisions) is very much at the heart of this case. With Privacy Shield also not certain to survive scrutiny from the CJEU, the future of EU-US data transfers remains uncertain. With such uncertainty data controller may wish to check on their own arrangements, take advice, and consider the extent to which data in fact needs to be transferred outside the EU/EEA.