This website uses cookies to improve your browsing experience.
By continuing to use this website you consent to the use of cookies in accordance with our cookie policy. To find out more, click on this link: Read More Allow Cookies

Technology, innovation, law and tax

International transfers of personal data under scrutiny in Irish courts

By: Elena Vassileva

Prior to the original Schrems ruling, there were three legal routes by which data transfers from the European Union to the USA were actioned, namely the Safe Harbor framework, standard contractual clauses and binding corporate rules. The Safe Harbor fell as a consequence of the original Schrems ruling and was substituted by the Privacy Shield in July 2016. Irish privacy advocacy group Digital Rights Ireland has since sought the annulment of the European Commission’s decision implementing the Privacy Shield. Now the standard contractual clauses route is under review.

On the basis of Article 26 (4) of the Data Protection Directive, the European Commission has the power to decide that certain standard contractual clauses provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights. To date, the Commission has produced two sets of standard contractual clauses relating to transfers from data controllers within the EU/EEA to data controllers established outside of the EU/EEA and one set relating to transfers to data processors established outside of the EU/EEA. 

As we reported in January, on 07 February 2017 proceedings started in the High Court of Ireland which relate to the validity of standard contractual clauses, also known as model clauses. In essence, as explained by the Irish Data Protection Commissioner (the “DPC”) in two explanatory memos, after the judgment of the Court of Justice of the European Union (the “CJEU”) in the original Schrems case, Mr Max Schrems reformulated his complaint lodged with the DPC in 2013 to take into account the fact that the Safe Harbour decision had been invalidated and that since 2015 Facebook Ireland transfers personal data to its parent company Facebook Inc. in the USA on the basis of standard contractual clauses. Following investigation, the DPC came to the conclusion that Mr Schrem’s complaint was well-founded. The DPC agreed that an effective legal remedy against access and processing of personal data by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union is not available in the USA to European citizens. The DPC also accepted that the standard contractual clauses approved by the Commission decisions are not compatible with the findings of the CJEU in the original Schrems ruling as regards the absence of such a remedy. On that basis, the DPC is now seeking the request by the High Court of Ireland of a preliminary ruling from the CJEU as to the validity of standard contractual clauses. 

In addition to Mr Schrems and Facebook, the US Government, BSA Business Software Alliance, Digital Europe and Electronic Privacy Information Centre were joined to the proceedings and will act as friends of the court, and will make legal submissions. 

The case is scheduled to run for approximately three weeks and is expected to commence and to close with submissions from the DPC.

For more information on the content of this Blog post contact: Elena Vassileva, elena.vassileva@rdj.ie

0 Comments

Add Comment
Letter footer for printed documents
© 2017 Ronan Daly Jermyn
Web design by Granite Digital