New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

Since 2013 revelations about U.S. mass surveillance, the transfers of personal data between the EU and the U.S. have encountered regular legal threats: cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) in the Schrems case in October 2015, serious criticism from some EU institutions and national data protection authorities concerning the draft of the Privacy Shield, and a declaration by the Article 29 Working Party concerning the future review of standard contractual clauses (SCCs) and binding corporate rules as transfer mechanisms.

After the cancellation of the Safe Harbor, the Irish High Court, from which the referral to the CJEU originated, ordered in the same Schrems case, still pending at national level, an investigation concerning Facebook international transfers of personal data.  The result of this investigation was revealed by Max Schrems himself in a May 25, 2016, press release where he declared:

In an unpublished draft decision of May 24th 2016 the Irish DPC followed the objections of the Complainant Mr. Schrems in the procedure between Mr. Schrems and Facebook Ireland Ltd. Mr. Schrems claimed that Facebook USA continues to be subject to U.S. mass surveillance laws, independent of the use of “model causes” or “Safe Harbor” and that his data continues to be subject to fundamental rights violations once it reaches the United States.

In consequence of this, the Irish Data Protection Commissioner (Irish data protection authority) has decided that it will again refer the case to the CJEU to determine the legal status of data transfers to the U.S. under SCCs.  The risk that the CJEU will declare that the transfers to the U.S. based on SCCs are vitiated for the same reasons as those relating to the cancellation of the Safe Harbor is very high.  Therefore, it is clear that both the EU and the U.S. have an important common interest to improve the draft of the Privacy Shield still under discussion.

For more information on the GDPR, please refer to the following prior Password Protected blog posts:

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid