On October 3, 2017, the Irish High Court issued a judgment in the “Schrems II” case, which raises the issue of whether the EU Commission’s decision approving the EU’s Standard Contractual Clauses (SCCs) should be invalidated. The Court has decided to refer various issues to the Court of Justice of the European Union (CJEU) and is seeking comment from the parties involved with regard to the questions that should be raised.
The judgment reflects issues similar to those which led the CJEU to invalidate the EU-US Safe Harbor agreement. These issues include concerns regarding the scope of electronic surveillance by the US Government on national security grounds as well as whether EU citizens have effective remedies to address infringements of their privacy rights when their personal data is transferred to the US. Multi-national companies that rely on the SCCs to legitimise transfers of personal data to the United States will be watching developments in this case very closely.
The judgment also signals potential challenges for the UK Government post-Brexit with regard to securing an adequacy finding from the European Commission in relation to transfers of personal data from the EU to the UK. In late December 2016, the CJEU ruled that a UK law, known as the Data Retention Investigatory Powers Act (DRIPA), which required telecommunications operators to engage in bulk collection of metadata for national security and other purposes, was unlawful. However, the law that replaced it, the Investigatory Powers Act 2016 (IPA), is also subject to challenge before the UK High Court and, post-Brexit, may raise concerns similar to those being considered in Schrems II.
Our Data Privacy & Cybersecurity team will be watching these developments very closely as well as progress in relation to the EU-US Privacy Shield review.