Schrems case continues: Irish court to refer Standard Contractual Clauses to the Court of Justice of the European Union

After invalidated the Safe Harbour agreement to transfer personal data to the US, the Court of Justice of the European Union (CJEU) will soon be asked to look into another existing tool for international data transfer: Standard contractual clause. Until the CJEU provides its ruling, standard contractual clauses remain valid and should continue to be used.

In the case opposing Max Schrems and Facebook Ireland vs DPC (Irish Data Protection Commissioner), the DPC asked the Irish high court to consider the validity of the Standard contract clauses used by Facebook to transfer data to the US following the fall of the Safe Harbour agreement in 2015. Standard contractual clauses have been developed by the European Commission and enable data controllers and data processors to transfer personal data outside of the European Union.

Like in the Safe Harbour case, the CJEU will have to look at Standard contractual Clauses validity, and whether EU resident’s personal data are sufficiently protected when transferred outside of the EU using this tool, in particular when transferred to the US. The Irish High court has not yet referred to the CJEU, but will seek first submissions from various parties on the exact questions to be referred, before the CJEU can start working on them. This process is likely to be quite lengthy, and nothing can be expecting before the 25th May 2018, when the GDPR will come into place, which may influence the ruling of the CJEU, depending on the questions asked by the Irish Court.

Meanwhile, it is important to stress that Standard contractual clauses should remain in use, and continue to be valid. As the DPC states on its website:” It is important to note that today’s decision does not invalidate the SCCs {nor the Privacy Shield); neither does it prohibit their continued use for the purpose of data transfers to the US or elsewhere”.