Almost two years to the day following the decision of the Court of Justice of the European Union ("CJEU") in Schrems v Data Protection Commissioner ("Schrems I"), the issue of transatlantic data transfers is heading back to the CJEU.
The referral from the Commercial Division of the High Court of Ireland (the "Commercial Court") to the CJEU on the standard contractual clauses ("SCCs") has been widely expected. Much will turn, however, on the precise formulation of the questions to the CJEU, in respect of which further submissions and hearings are scheduled for 11 October 2017.
While this latest chapter ("Schrems II") in the ongoing data privacy saga involving the Irish Data Protection Commissioner (the “DPC”), Max Schrems and Facebook, is ostensibly concerned with transfers to the United States, the final CJEU decision on the matter could have wider implications for transfers to other countries outside the European Economic Area, including, in a post-Brexit world, the United Kingdom.
In Schrems I, the CJEU decision invalidated personal data transfers between the EU and the United States based on the EU-US Safe Harbour regime. This time around, the issues centre on the validity of the European Commission (the "Commission") approved, and widely used, SCCs as a legal basis for transfers of personal data to the United States.
In Schrems II, the Commercial Court decided on 3 October 2017 to refer the question of the validity of the SCCs to the CJEU.
The importance of the case, and of the ultimate decision of the CJEU on the issues raised, is reflected not only in the length of the arguments before the High Court (where the hearings lasted some five and a half weeks), but also in the number and identity of the parties which filed amicus curiae (or "friends of the Court") arguments before the Commercial Court, including the US Government and the Business Software Association.
The Commercial Court rightly described the case as an unusual one. The Commercial Court was not asked to consider the validity of the SCCs themselves (a right the CJEU reserved to itself in Schrems I), the validity of Facebook's specific transfers based on SCCs, nor even to consider the scope and validity of the DPC's investigation into Facebook's transatlantic data transfers and her draft findings. The key questions with which the Commercial Court was tasked were its own jurisdiction to refer the issue to the CJEU, and having met that hurdle, whether the concerns identified by the DPC with regard to the validity of the SCCs were genuine and well-founded and thereby justified an exercise by the Commercial Court of that jurisdiction.
In considering the issues, the Commercial Court expressly took into account all arguments made before it, including those centred on changes to the data protection landscape following the DPC's investigation (such as the EU-US Privacy Shield (the "Privacy Shield"), which replaced the Safe Harbour), and did not confine itself to the matters addressed by the DPC in her draft findings. Importantly, the Commercial Court distinguished the Privacy Shield, holding that the protections and advancements implemented under the Privacy Shield did not constitute an adequacy decision in relation to the United States per se, and only applied in respect of transfers made pursuant to the detailed Privacy Shield rules.
Thus, some of the concerns raised by the DPC in connection with the SCCs were the very ones which the Privacy Shield had remedied when replacing Safe Harbour following Schrems I. Those concerns included the "well founded concern" of a potential absence of effective remedies for EU citizens where their personal data is accessed and processed by US state agencies for national security purposes.
Given the decision in Schrems I, having concluded that the DPC's concerns were well founded, the Commercial Court was duty bound to refer the matter to the CJEU for a preliminary ruling. While the Commercial Court indicated that that referral would centre on the validity of the SCCs, somewhat unusually, it deferred formulating the precise questions to be referred pending further submissions from all parties, at their unanimous earlier request to be heard on the scope of the referred questions. That said, the executive summary of the Commercial Court judgment indicates that those questions may well include requesting preliminary rulings from the CJEU on whether the introduction of the Privacy Shield Ombudsman and / or the existence of a discretionary power of Member State supervisory authorities (which might not be uniformly applied throughout the EU) to suspend transfers, might be sufficient to save the SCCs.
It is hoped that the scope of the questions posed to the CJEU will be sufficiently precise as to give a greater degree of certainty in relation to the circumstances in which the SCCs might be reliably used for transatlantic transfers, and / or guidance as to how that certainty might be achieved (for example, whether a further extension of some of the Privacy Shield protections would suffice). In a post-GDPR environment, in which the Commission expressly allowed for the continuation of SCCs, but in which the potential sanctions for getting this wrong are exponentially higher, greater certainty will be necessary if business critical transatlantic data flows are to continue.