There are only a few ‘legitimate’ ways to transfer personal data from the EU/EEA to a so-called ‘unsafe’ third country. In the last years – and especially since the Safe Harbor framework has been declared invalid by the European Court of Justice two years ago - almost all of those ways have been criticized. Will the Standard Contractual Clauses remain valid?
SCCs as ‘the’ standard
Standard Contractual Clauses are a common measure to transfer personal data abroad. A lot of European companies use the Clauses, either for transfers inside the corporate group or to other companies or vendors. The different sets may be used for controller-to-controller as well as for controller- to-processor transfers. The Clauses shall bring an ‘adequate’ level of data protection. But are the clauses still a valid way to assure this level? And has this ever been an ‘adequate’ way?
‘Safe Harbor’ and the ‘Privacy Shield’
We all remember the ‘big bang’ in the data protection world in October 2015: The European Court of Justice declared the ‘Safe Harbor Framework’ invalid – the famous ‘Schrems case’. Finally, a lot of data protection experts said. But for globally acting companies, a time of uncertainty and lack of clarity started. The Privacy Shield then replaced Safe Harbor and is now a valid ground for transferring personal data to a Privacy Shield certified company in the US.
SCCs under scrutiny
At the moment, Standard Contractual Clauses adopted by the Commission are recognized (and incorporated within the GDPR) as an appropriate safeguard for cross-border data transfers. The GDPR states that “Decisions adopted by the Commission on the basis of Article 26 (4) of Directive 95/46/EC shall remain in force until amended, replaced, or repealed, if necessary, by a Commission Decision.” If the European instruments are declared invalid, “[i]t then falls to the competent European institutions to adopt a new instrument to rectify the situation.”
Irish High Court on SCCs
However, the privacy world is now – after the Safe Harbor decision – facing a new challenge. Last week, the Irish High Court gave its decision in ‘Data Protection Commissioner v. Facebook Ireland and Max Schrems’ (“Schrems 2.0”), IAPP reports. In its ruling, the Irish High Court shared the Irish DPC’s “well-founded concerns” about the validity of SCCs, which made it “necessary and appropriate” to reference the matter to the Court of Justice of the European Union. With this opinion, it also rejected Facebook’s argument on the non-application of European law on the issue:
“clearly EU law is engaged in respect of these transfers.”
What would we do without SCCs?
The decision of the Irish High Court will have a high impact on data transfers from the EU/EEA abroad. And the opinion of the Court of Justice of the European Union will decide if the SCCs will have a future under the GDPR.