• The long-running challenge to the so-called EU Standard Contractual Clauses and the EU-US Privacy Shield, both used to lawfully transfer personal data outside of Europe, is now going to be heard by the European Court of Justice (“ECJ“) after an attempt to block the referral was rejected by the Irish Supreme Court.
  • The ECJ will now assess and opine on whether these methods of international data transfer satisfy the requirements of the GDPR, with the potential for either or both mechanisms to be struck down like the US Safe Harbor was in 2015.
  • If the court finds either method to be invalid, it would have a major impact on the cross border transfer of personal data, leaving companies with significant GDPR compliance issues and extremely limited options to be able to lawfully transfer data across national boundaries.

Background

The GDPR restricts the international transfer of personal data from the EU to any country located outside of the EU unless certain specific protections are in place. Some of the most commonly used methods to ensure such protections are: (i) entering into a set of contractual clauses approved by the European Commission, the so-called “Standard Contractual Clauses“, which oblige the data exporting and importing parties to adhere to certain privacy requirements; and (ii) relying on the EU-US Privacy Shield scheme, pursuant to which companies in the US are able to register to be on the Privacy Shield, thus allowing the free transfer of personal data to them.

The current case is the latest in a series of legal challenges to the ways in which personal data is transferred internationally. In 2015, the predecessor to the EU-US Privacy Shield, the US Safe Harbor, was challenged as not providing adequate protection for personal data being transferred to the US. That case resulted in the ECJ finding the Safe Harbor to be invalid and the EU-US Privacy Shield was negotiated between the EU and the US to take its place.

Standard Contractual Clauses no more?

The practical implications of a finding by the ECJ that either the Standard Contractual Clauses or Privacy Shield do not provide adequate protections are potentially vast. With companies transferring increasingly large amounts of personal data to the US and elsewhere, a finding that these established methods of transfer are inadequate would cause a compliance nightmare for untold numbers of companies. Nearly 5,000 companies are registered on the Privacy Shield List and it is impossible to know how many hundreds of thousands rely on Standard Contractual Clauses to transfer data not just to the US but all around the world.

If the Standard Contractual Clauses and the EU-US Privacy Shield were to be struck down, it would leave companies with very few options in order to be able to lawfully transfer data out of the EU. Potential alternatives include: (i) transferring to a country which has been found by the European Commission to be ‘adequate’ – there are very few of these and the US is not one of them; (ii) having in place binding corporate rules – not many companies have these and they only legitimise transfers within an organisation rather than to third parties; or (iii) explicit consent from the individuals – unlikely to be practical in many circumstances and would not work for the transfer of employee data given the difficulties obtaining valid employee consent under the GDPR. However, as described above, none of these methods would provide a satisfactory solution to legitimise the frequent transfer of large amounts of data to a non-adequate jurisdiction such as the US.

The case is therefore one which could have far-reaching consequences. In particular, in a world where shareholders are becoming increasingly aware of privacy issues and where the financial penalties for non-compliance with data privacy laws are severe, this is a referral which companies and their advisors ought to keep a close eye on.

The timetable for the decision from the ECJ is unclear. Cases in the ECJ can take years, although the Safe Harbor decision was handed down after only one year.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Lauren Hudson

Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483