EU High Court to Hear Facebook Case That Could Affect Privacy Shield
In a case that could affect global personal data transfers, Europe's high court will consider a challenge Tuesday by privacy lawyer Max Schrems to Facebook's use of standard contractual clauses (SCCs) to shift personal data to the U.S. Schrems filed the case, Data Protection Commissioner v. Facebook Ireland and Maximilian Schrems, in the Irish High Court. That court referred it to the European Court of Justice for a ruling on whether SCCs are valid under EU law (see 1710030011). ECJ's decision could reach as far as trans-Atlantic data transfer agreement Privacy Shield, lawyers told us.
In assessing Schrems' claim, the Irish Data Protection Commissioner (DPC) looked at the U.S. legal regime for authorizing electronic surveillance of data transferred from the EU to the U.S. for processing and at the remedies available to EU data subjects whose information was sent over, the high court said in an October 2017 executive summary. The commissioner "formed the view that there appeared to be well-founded concerns that there is an absence of an effective remedy" compatible with EU fundamental rights, and safeguards don't appear to address that absence.
The case is about only transfers to the U.S. that are subject to "mass surveillance," and it targets only Facebook, which is named in documents from former NSA contractor Edward Snowden as aiding the Prism surveillance program, Schrems said in information provided to us Monday. The DPC is arguing SCCs are invalid; Schrems argues if the model clauses are correctly applied and enforced, they're an appropriate solution. Instead of "kicking the case back" to the ECJ over and over, the DPC "must simply enforce the rules properly," he said.
SCCs provide important safeguards to ensure that Europeans' data is protected when sent overseas, emailed Facebook Associate General Counsel Jack Gilbert. The clauses "have been designed and endorsed" by the EC and enable thousands of Europeans to do business worldwide, he said.
If the ECJ rules SCCs invalid, it would "be of global significance as this would impact data transfers globally and not just to the US," emailed Cordery (London) commercial lawyer Andre Bywater. In that sense, it would have a far larger impact than the high court's 2015 ruling invalidating the EU-U.S. safe harbor agreement (see 1510060001), he said. If the court nixes model clauses, "then I imagine that, like with the Safe Harbor ruling, it might give a period of grace for the European Commission to come up with a new set of model clauses before the invalidation ruling takes full effect."
The EC may have considered this as it's supposed to revise the SCCs under the general data protection regulation, Bywater said. If SCCs are invalidated, another possible effect would be for organizations to look more closely at using binding corporate rules, although BCRs are only for intra-corporate data transfers, he said. There's also a risk for Privacy Shield because several of the questions referred to the ECJ concern it, he noted. "In a worse-case scenario it may be that if the court's ruling on EU-US Privacy Shield is negative this could have an indirect impact on any EU review undertaken" of the agreement, which is "already being somewhat wobbly."
"One of the most popular legal solutions to transfer personal data is under threat," said attorney Tanguy Van Overstraeten, Linklaters (Brussels) global head-privacy and data protection. Tens of thousands of companies and other organizations have signed SCCs, so an adverse ruling could have a significant impact, he said. It wouldn't likely affect BCRs, he noted, which are reviewed by national data protection authorities and considered a "robust solution positively perceived by regulators."
An adverse ECJ ruling could "massively impact global transfers of data from EU to non-EU countries, except those judged to have adequate data protection systems, said Van Overstraeten. He hopes the EC review of SCCs is "sufficiently agile" to allow them to pass any test imposed by the high court or to adapt quickly to whatever its ruling is. Although unlikely, an impact on Privacy Shield "cannot be excluded."