Late last week, the Supreme Court in Ireland rejected an appeal against an earlier decision by the country's High Court to refer 11 questions concerning the use of 'model clauses' to the Court of Justice of the EU (CJEU).
The case, set to be heard by the CJEU on 9 July, concerns whether the use of model clauses for EU-US data transfers is compliant with the requirements of EU data protection law.
Dublin-based data protection law expert Andreas Carney of Pinsent Masons previously said the case could call the entire framework for international data transfers into question.
The Supreme Court's ruling applies to an underlying dispute between Ireland's Data Protection Commission (DPC) and Facebook over the use of model clauses to facilitate EU-US data transfers. The DPC's involvement was prompted following a complaint raised by Max Schrems, the Austrian privacy campaigner who was behind the legal challenge that brought down the now-invalid EU-US 'safe harbour' regime for data transfers in 2015.
Facebook challenged the basis of the Irish High Court's referral of the case to the CJEU. In particular, it has said the High Court should have given greater consideration to the increased safeguards for data transfers to the US from the EU that are made under the EU-US Privacy Shield. The CJEU will, in part, consider how applicable those safeguards are to data transfers made using model clauses.
In its ruling, the Supreme Court said that it could not "entertain any appeal against the decision of the High Court to make a reference or against the terms of that reference", but it said that it did have the power to accept an appeal against facts asserted by the High Court if it could be established that those facts were "not sustainable".
However, the court determined that Facebook's concerns related to the way the facts, as established by the High Court, were to be characterised and were not about the facts themselves and dismissed the social networking company's appeal.
A Facebook spokesperson said: "We are grateful for the consideration of the Irish court and look ahead to the Court of Justice of the European Union to now decide on these complex questions. Standard contract clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and are used by thousands of companies across Europe to do business."
EU data protection law says that personal data can only be transferred outside of the European Economic Area (EEA) if the data will be protected as well in the destination jurisdiction as it is within the EU. At the moment, there are a number of mechanisms in place to achieve that. These include where the European Commission has designated the non-EEA destination country as having adequate data protection, or where businesses put in place 'binding corporate rules', agreed with regulators, to govern intra-group data transfers to non-EEA countries. The use of European Commission-provided 'model clauses' is a further option.
Model clauses are a series of standard contract clauses (SCCs) that the European Commission has developed for use in cross-border contracts. They set out how personal data should be handled when transferred outside of the EU to 'third countries'. The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law.
The use of model clauses has therefore become widespread among international businesses. Many companies have come to rely on their use of model clauses as demonstrating their compliance with EU data protection law requirements on data transfers.
Out-Law Analysis
24 Apr 2018