On 3 October 2017, the Irish High Court held that it is up to the European Court of Justice ("ECJ") to determine whether Standard Contractual Clauses ("SCCs") are a valid method of transferring personal data outside of the EU in compliance with privacy law. SCCs are widely used by businesses that transfer data from the EU to the US as a means to comply with European data protection laws. They are intended to give EU citizens the same level of privacy and protection when their data is stored in the US, as when it is stored in the EU.
The case involves an Austrian lawyer, Max Schrems, who originally filed a complaint with the Irish Data Protection Commissioner (the "Commissioner") challenging Facebook's use of SSCs. Schrems brought the case following revelations in The Guardian that the US National Security Agency had direct access to data on European users of Facebook stored in the US, as originally transferred from the EU. Schrems argued that the Commissioner should order Facebook to suspend sending data to the US, claiming that the standard clauses were not adequate to protect privacy under EU legal standards due to a lack of safeguards against US government surveillance.
The Commissioner argued that the case should be referred to the ECJ to determine whether the Commission's decision on standard clauses is consistent with the EU Charter of Fundamental Rights. Justice Caroline Costello agreed that there were "well-founded grounds" for challenging the European Commission decision to approve SCCs as valid data transfer channels. The Irish judge held that only the ECJ has the jurisdiction to rule on the validity of a European measure.
The case is the latest to question whether methods used by large tech firms such as Facebook, Google and Apple to transfer data outside the European Union, provide EU consumers sufficient protection from US surveillance. This case also affects other companies that store information across borders and seek to transfer it...