A PRIMER ON DATA TRANSFER UNDER EU LAW
Under the Directive, data transfers to third countries outside the EEA are generally prohibited unless the European Commission (the "Commission") considers the level of data protection in that country to be "adequate" for the purposes of Article 25 of the Directive (known as an "adequacy decision"), or where certain specifi ed measures are taken pursuant to Article 26 of the Directive. WHAT ARE STANDARD CONTRACTUAL CLAUSES?
One such measure is the use of standard contractual (or "SCCs") which have been approved by the Commission and which are included in contracts between the transferring party (based within the EEA and known as the data exporter) and the receiving party (based in the third country and known as the data importer). SCCs therefore impose contractual obligations on the parties to ensure an adequate level of data protection even where the third country to which the data is transferred is not itself deemed adequate. SCCs do not impose any obligations on public authorities in the third country to which the data is transferred SCCs are widely used as a mechanism to transfer personal data from the EEA to third countries such as the US, which do not have an adequacy decision. On 3 October 2017, the Irish High Court handed down judgment in Data Protection Commissioner v Facebook and Maximillian Schrems, a case known as "Schrems II" concerning the validity of standard contractual clauses ("SCCs") as a mechanism to facilitate the transfer of personal data to third countries located outside the EU. The High Court will now refer certain questions on the validity of SCCs to the Court of Justice of the European Union ("CJEU") for determination. This briefi ng considers the case and its implications for international data transfers.
BACKGROUND - SCHREMS I
The High Court's ruling is the latest instalment in a long-running dispute involving Austrian citizen, Maximillian Schrems, Facebook and the Irish Data Protection Commissioner ("DPC"). Mr. Schrems previously complained to the DPC claiming that his personal data had been unlawfully transferred from Facebook's Irish subsidiary to its US-based parent, Facebook, Inc. in reliance on the EU-US Safe Harbour framework. The DPC initially rejected Mr. Schrems' complaint but on a judicial review, the High Court referred the matter to the CJEU. In an important 2015 decision, the CJEU struck down the Safe Harbour framework on grounds that the Safe Harbour...