September 28, 2020

Volume X, Number 272

September 28, 2020

Subscribe to Latest Legal News and Analysis

Irish High Court Refers Future of EU Model Clauses to CJEU

On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided.

In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs.  Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law.  Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU  citizens  have  a  right  guaranteed  by  Article  47  of  the  Charter  to  an  effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.

The CJEU will now have to decide the validity of SCCs as a basis for data transfer from the EU to the U.S. and elsewhere.  A ruling by the CJEU could take as long as two years to deliver. Amongst the possible outcomes are that the Court could ultimately find the SCCs valid as-is; it could find them invalid as-is but recommend ways to fix them; it could find that EU data protection authorities must assess the adequacy of the SCCs on a case-by-case basis; or it could find that private contractual clauses – and potentially other data transfer mechanisms as well – do not provide adequate data protection in the context of transfers to certain jurisdictions (like the U.S.) and that the only remedy to this is a political solution (e.g., an agreement by the foreign government to grant EU data subjects certain rights). This last potential outcome could also impact the continued validity of the Privacy Shield framework for transfers of personal data from the EU to the U.S.

These developments in this case come just after the European Commission and U.S. Department of Commerce completed their first annual review of the Privacy Shield framework (press release here). While the formal report of this review is not expected until the second half of October, statements from Commission officials and European data protection authorities at the 39th International Conference of Data Protection and Privacy Commissioners have suggested that the report will be favorable. For organizations transferring data from the EU to the U.S., relief as to the outcomes of the first annual Privacy Shield review may well be overshadowed by longer term concerns as to how the CJEU might approach this important case.

© 2020 Foley & Lardner LLPNational Law Review, Volume VII, Number 277


About this Author

Peter A. Blenkinsop, Drinker Biddle Law Firm, Healthcare and Data Privacy Attorney, Washington DC

Peter A. Blenkinsop advises clients on data privacy, research compliance, and e-health. He co-chairs the firm’s Information Privacy, Security & Governance practice. Peter represents clients in the life sciences, health, nutrition, and technology sectors, among others.

Peter’s focus on data privacy and security law began well over a decade ago in the run up to implementation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Since then, his practice has expanded well beyond health information privacy to data privacy...

Jeremiah Posedel, Privacy & Data Security lawyer, Drinker Biddle

Jeremiah Posedel assists clients in two distinct but overlapping domains: (i) information technology transactions and (ii) information privacy and security. First, Jeremiah advises on and negotiates a wide array of transactions involving the acquisition, development and leveraging of information technology assets, including hardware, software and database licensing, outsourcing and cloud-based services arrangements, and system implementation and support agreements. Second, Jeremiah counsels clients on domestic and international privacy and security regulations and standards applicable to the collection, use and disclosure of personal data, including the FTC Act, HIPAA, COPPA, CAN-SPAM, TCPA, GLBA, PCI-DSS, DAA Program for Online Behavioral Advertising, and EU Data Protection Directive. He works with organizations to develop and implement comprehensive privacy/security programs and compliance strategies focused on a variety of data processing activities, including digital and interest-based advertising, big data analytics, workplace monitoring, mobile device and app deployment, cross-border data transfers, clinical research and e-commerce initiatives.