Standard contractual clauses under the spotlight

King Canute had a long and successful reign, becoming monarch of the North Sea Empire; England, Denmark and Norway. Despite this, he is best remembered for demonstrating the limits of kingly power. Canute set his throne by the sea shore and ordered the tide not to come in and wet his feet. When the tide washed over them, he leapt back and proclaimed; “Let all men know how empty and worthless is the power of kings”.

The European Court of Justice could well benefit from Canute’s wisdom when it considers the validity of Standard Contractual Clauses - a vital legal tool used to transfer personal data out of the EU. 

Standard Contractual Clauses

In many cases, Standard Contractual Clauses are the only way to ensure compliance with Europe’s strict privacy rules in the General Data Protection Regulation when transferring of personal data to third countries that do not have adequate data protection laws. 

The clauses are, in fact, standard form contracts issued by the EU Commission. When businesses exporting and importing personal data enter into them, they make a contractual commitment to each other to abide by European privacy standards. More importantly, they also make that commitment to the individuals whose personal data is transferred.

Facebook & Max Schrems

The flashpoint for the current dispute is Facebook. Its Irish entity, Facebook Ireland Ltd, uses the controller-processor Standard Contractual Clauses to transfer information about its users to its parent, Facebook Inc., in the U.S. 

Long-time privacy advocate, Maximilian Schrems, complained about these transfers to the Irish Data Protection Commissioner. She carried out an investigation into Facebook and brought an action in the Irish High Court suggesting the Standard Contractual Clauses should be invalidated. 

The crux of the dispute is not misuse by either Facebook Ireland Ltd or Facebook Inc. Rather it is potential access by U.S. intelligence and law enforcement agencies once that data is in the U.S. The Irish High Court conducted a detailed review of the various surveillance powers available under FISA, the USA-PATRIOT Act and under Executive Order 12333 to assess this question. It also explored the many layers of review and oversight for these powers through the FISA Court, Presidential Policy Directive 28, private litigation and the new Privacy Shield Ombudsman.

While the U.S. authorities’ powers are subject to various checks and balances, the Irish High Court decided those safeguards were not sufficient. The chief criticism was that EU citizens do not have an adequate remedy if their data is misused. This breaches the right to remedy under Article 47 of the EU Charter of Fundamental Rights.

The dispute raises significant issues under EU law, so the Irish High Court referred a number of questions to the European Court of Justice. Those questions are wide ranging and include matters such as how to assess a third country’s data protection laws and whether it is appropriate to compare those laws with the surveillance regimes of EU Member States. This is a pointed question given some EU Member States have national security surveillance regimes that are not markedly different to those in the U.S. 

However, the key question is whether the Standard Contractual Clauses provide sufficient protection and, if not, if should they be invalided. 

Holding back the tide

Underpinning all of this are fundamental rights to privacy. On the one hand, is it right your private information can be sent to third countries, handed over to law enforcement and security agencies, scrutinised, processed and profiled; all in circumstances where, even if those agencies do exceed their powers, you have no meaningful remedy?

On the other hand, international data transfers are not going to stop. They underpin modern commerce and are integral to the way the modern global economy works. More fundamentally, it is hard to see how they could be stopped. The internet does not respect national boundaries. 

So, like King Canute, the European Court of Justice may need to consider the practical limitations on its power. Invalidating Standard Contractual Clauses will not turn back the tides of data washing back and forth across the world, but would leave many businesses with no meaningful solution to comply with the law. This would be bad for business, bad for privacy regulators tasked with enforcing an impossible law and bad for the credibility of data protection law as a whole.

Next steps

The solution may be a healthy dose of fudge. The European Court of Justice might give a less dramatic judgment, for example allowing national data protection authorities to suspend transfers on a case-by-case basis. Even if the Standard Contractual Clauses are found entirely invalid, the EU Commission is thought likely to respond with “version 2.0” of the clauses, strengthened to address any shortcomings identified by the Court of Justice. Those new clauses may be more onerous and involve additional formalities, and may themselves be challenged in due course, but should keep the wheels of commerce ticking over in the short term at least.

The Court of Justice will hear the case on 9 July 2019. It should receive an opinion from the Advocate General in the autumn and issue a final judgment towards the end of the year.

By Peter Church

This opinion was first published in Computer Business Review.