On April 11 2018, Justice Caroline Costello of the Irish High Court referred the case of Schrems 2, as it has become known, to the Court of Justice of the European Union (ECJ) with 11 questions for the ECJ to answer.
From a data compliance perspective, the referral provides bad news for any organisation who rely upon Standard Contractual Clauses for a legally binding data sharing agreement for cross-border transfers because if the ruling of the ECJ agrees that the use of SCC is unlawful, what will organisations have left in the “agreement arsenal”.
The ramifications are serious and this article is well worth a read if you use SCC or plan to rely upon SCC as an alternative to Binding Corporate Rules (BCR).
Per Justice Costello, the sole issue in the case is whether the European Commission’s Decisions regarding standard contractual clauses (SCCs) are valid, which is reflected in the 11 questions posed.
The reference asks the ECJ to determine:
- Whether provisions of EU law related to national security, public security, defense, and state security apply to transfers of data outside the EU under SCCs;
- Whether relevant EU law or EU Member State laws are the appropriate comparator for determining if a violation of individual rights occurred (and whether to include EU Member States’ national security practices in that comparator);
- Whether the assessment of a third country’s level of privacy protection should include administrative, regulatory and compliance practices, policy safeguards, procedures, protocols, oversight mechanisms, and non-judicial remedies;
- Whether transfer of personal data from the EU to the U.S. under valid SCCs violates the rights of individuals under Articles 7 and/or 8 of the Charter of Fundamental Rights of the European Union (the Charter) (note – these articles state the rights to data protection and privacy);
- Whether the level of protection afforded by the U.S. respects the essence of an individual’s right to a judicial remedy for breach of data privacy rights as guaranteed under the Charter, and if so, whether limitations imposed by U.S. law on access to judicial remedies are necessary and proportionate for national security in a democratic society according to Article 52 of the Charter;
- What level of protection is required for personal data transferred to a third country pursuant to SCCs in light of the Data Protection Directive and the Charter, and what factors should be reviewed in determining the adequacy of the level of protection offered by a third country;
- Whether the SCCs can include additional safeguards per Article 26(2) of the Data Protection Directive sufficient to cure any deficiencies for third countries where national authorities may require a data importer to make personal data received under an SCC available for national security purposes;
- Whether a data protection authority (DPA) can use its own discretion in determining whether to suspend data flows to a third country data importer if the DPA believes that country’s surveillance laws conflict with relevant EU law;
- Whether the Privacy Shield Decision constitutes a finding that the U.S. has an adequate level of privacy protection, and if not, what relevance the Privacy Shield Decision has in assessing the adequacy of U.S. privacy safeguards related to SCCs;
- Whether the provision of the Privacy Shield ombudsperson under the Privacy Shield Decision, in combination with existing U.S. law, ensures a remedy compatible with Article 47 of the Charter; and
- Whether the SCC Decision violates the Charter.
In addition to the questions posed in the referral, Justice Costello also included findings of fact based on the submitted expert testimonies and the parties’ arguments before the Court. Justice Costello found that Section 702 of the Foreign Intelligence Surveillance Act, which includes the PRISM and Upstream programs, conducts “mass indiscriminate processing of data by the United States government agencies” (Para. 33). Justice Costello also included a number of findings regarding the U.S. surveillance law, how the PRISM and Upstream programs operate, available privacy remedies for individuals whose privacy rights are impacted by U.S. surveillance, the limitations on those remedies, and U.S. systemic safeguards and oversight mechanisms.
I shall try to keep you appraised of developments and as Caretower’s GDPR specialist; I have a stake in knowing what will happen. Should you need any support or advice about SCC’s, BCR or other data sharing agreements, I am more than happy to assist.
MIET, MBCS, Security & GDPR Specialist