- Today, the Irish High Court ruled that Ireland’s Data Protection Commissioner (DPC) can resume investigation of Facebook’s data practices, which may lead to a ban on its transatlantic data flows.
- The DPC had issued a Preliminary Draft Decision (PDD) that the mechanism relied upon, Standard Contractual Clauses (SCCs), and which many other businesses rely upon also, cannot in practice be used. The court’s rejection of the challenge to the PDD could, therefore, have serious consequences for EU-U.S. data flows.
- Businesses will, therefore, need to watch developments re any ban based on current SCCs use and urgently review what processes and documentation may need to change to reflect that and/or look to possibly use new SCCs, drafts of which were recently proposed by the European Commission.
Today saw a key ruling by the Irish High Court which could have wide ranging implications in relation to a range of data use, targeted advertising and data transfers between Europe and the United States.
The Irish data protection enforcer, the DPC, had issued a Preliminary Draft Decision (PDD) raising various concerns over the lack of privacy rights of EU citizens when their personal data is transferred to the U.S. for commercial purposes and the basis typically relied upon by businesses, namely, the Standard Contractual Clauses (SCCs).
SCCs are pre-approved terms that, if used correctly, can provide a basis for transferring European data to the U.S. and avoid the GDPR prohibitions on such transfers (given the U.S. is not deemed to provide adequate protections).
In a July 2020 ruling (known as Schrems II), Europe’s top court had looked at both SCCs and the Privacy Shield data transfer scheme, only to shoot down Privacy Shield. Although various points and concerns were flagged in that ruling, SCCs survived. As a result many businesses have sought comfort in using SCCs as their basis for transatlantic data flows.
This latest Irish DPC decision now threatens to have a significant ripple effect as it throws a cloud over use of the current SCCs. Other regulators in European countries (whether the EU or UK) will be watching with interest and could adopt similar enforcement guidelines. With Privacy Shield shot down many businesses that could not use it had turned to using SCCs.
One possible silver lining does exist in the form of new draft SCCs, which were published by the European Commission at the end of 2020. These were intended to update the current “old” SCCs in any event and have been going through consultation and review stages.
There is no set date for when these will be able to be used but the hope was it could be later this year.
The bottom line for businesses is that they should be aware we may be headed for a prohibition or restriction on EU-U.S. data flows. Accordingly, businesses should now review what basis they are relying on for their data transfers and consider what they need to do to best anticipate and be ready for such changes.
As a minimum, it would be prudent to consider now what processes, agreements and documentation may need to change.