Executive summary: The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk. A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down. Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.
Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission. The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs. But the answer is probably “an awful lot of companies.” Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.
The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid. The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents. In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law. Continue Reading Will the EU box itself in? Fate of Standard Contractual Clauses (aka the Model Clauses) for personal data transfers is now in the hands of the EU’s highest court