The Schrems II case follows on from Schrems I, in which the ECJ - following a complaint by Austrian student Max Schrems about the flow of personal data between Facebook in Ireland to Facebook in America and subsequent processing of that data by US surveillance authorities - declared the "Safe Harbour" provisions for transferring data between the EEA and the USA invalid.
With "Safe Harbour" declared invalid, many undertakings began to rely on the "Standard Contractual Clauses" (SCCs, also known as Model Clauses) as a basis for transferring personal data outside of the EEA. Please see our other article 'Restricted Transfers and Model Clauses' for more information on this topic.
Following Schrems I, and the invalidation of "Safe Harbour", the Irish Data Protection Commissioner (DPC) investigated the alternative potential legal basis for transfers outside of the EEA. The DPC concluded that the SCCs may also not be valid and instigated proceedings in the Irish High Court, which subsequently referred several questions to the ECJ on the validity of the European Commission decisions approving the SCCs.
So, what's happened so far?
In Schrems II, the High Court questioned the compatibility between the SCCs and the protections under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter Rights).
The questions referred to the ECJ included whether the Charter Rights apply to personal data that has been transferred to the USA in the knowledge it may be processed by USA security services. Facebook had argued that such processing was necessary for national security, which is one of the derogations from the Charter Rights permitted by EU data protection law.
Further, the High Court questioned whether the SCCs provide inadequate protection to the Charter Rights when data is transferred to the USA, as EU data subjects' remedies for unlawful processing in the USA are significantly limited.
Other key issues referred to the ECJ included the level of protection required under the SCCs; how to measure violations of data protection rights when data is transferred outside of the EEA; and by which standard the adequacy of the recipient country's data protection laws are measured.
Facebook took the matter to the Irish Supreme Court to appeal the High Court's decision and for an order that the High Court had erred in certain findings of fact. The Supreme Court found that the decision to amend or withdraw a reference to the ECJ could only be made by the Court which had originally made that reference – in this instance, the High Court. The Supreme Court would only be able to overturn findings of fact that were incompatible Irish Law, not the reference itself. When considering appeals on findings of fact, the Supreme Court noted that it could only consider a limited number of Facebook's grounds of appeal, as a number of the grounds involved a direct appeal against the reference to the ECJ or the text of the reference, and, as noted above, this was not a matter for the Supreme Court to decide. On the remaining grounds of appeal, the Supreme Court considered that Facebook's issues were not with the facts themselves, but rather with the characterisation of those facts. The Supreme Court was therefore not satisfied that it could properly justify overturning any finding of fact by the High Court, and the appeal was dismissed.
The ECJ hearing took place on 9 July, with a non-binding opinion due to be published on 12 December 2019, and a full decision expected early in 2020.
Businesses should keep a watching brief on these developments, as the impact of any decision on the validity of the widely used SCCs as an adequate safeguard for transferring personal data to a "third country" is likely to be significant. This would be particularly so in the event of a no-deal Brexit, at which point the UK itself would become a "third country". Please see our article 'Data Protection and a No-Deal Brexit' for further information on the data protection implications of a No-Deal Brexit.
Written by Tim Howden