An earlier post on this site reported on the July 16th judgment by the Court of Justice of the European Union (CJEU) invalidating the EU-US Privacy Shield framework. The CJEU’s decision, however, left intact the Standard Contract Clauses (the “SCCs”) for data transfers between European Union and Non-European Union countries. The Standard Contract Clauses, which are promulgated by the European Commission, offer sufficient safeguards on data protection for data to be transferred internationally. The SCCs can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
In its July 16th ruling, the CJEU found that the SCCs were not invalid merely because they do not bind the authorities of the country to which data is transferred. However, the CJEU also found that the SCCs imposed an obligation on a data exporter and the recipient of the data to verify, prior to any data transfer, whether the level of protection required in the SCCs is respected in the country to which the data is to be transferred. In the event that such is not the case, the parties are obliged to suspend data transfers.
With the invalidation of Privacy Shield, companies transferring data between the EU and the US defaulted to the SCCs as the basis for demonstrating data transfers comply with EU law. Facebook was one such company. On September 9th the Wall Street Journal reported that Ireland’s Data Protection Commission (the “DPC”) had sent a preliminary order to Facebook requiring it to suspend data transfers about its EU users to the US. Although the order has not been made public, Facebook confirmed that as part of the order the DPC has suggested that the SCCs were no longer valid for EU-US data transfers. On September 11th Facebook announced that it has appealed the DPC’s order to Ireland’s High Court.
Obviously, the outcome of the case has profound implications for any US company doing business in the EU if such business involves data transfers.