27. Feb 2017

Another obstacle to international data transfers

In the wake of the Safe Harbor case – where the Safe Harbor agreement was ruled invalid – it is now the ‎EU Commission's standard contractual clauses that are in the firing line.

As a general principle under the Danish Data Protection Act (and the underlying Data Protection ‎Directive), data may be transferred to a third country only if this country ensures an adequate level of ‎protection. The new General Data Protection Regulation contains similar provisions. But now the ‎question of what exactly is an adequate level of protection has been raised once again.‎

The case is based on the complaint filed by Austrian Facebook user Maximilian Schrems about the Safe ‎Harbor agreement. Schrems felt that the agreement did not ensure an adequate level of protection for ‎the personal data transferred by Facebook in Ireland to Facebook in the US. The case resulted in the Safe ‎Harbor agreement being ruled invalid by the ECJ in 2015.‎

After this ruling, Facebook had to find another legal basis for its data transfers – and the choice fell on ‎the EU standard contractual clauses, which are generally widely used as a transfer basis. However, ‎Schrems has also complained about this transfer basis to the Irish data protection authority, arguing that ‎this legal basis, too, does not ensure an adequate level of protection.‎

The Irish data protection authority has therefore brought the matter before the Irish High Court with a ‎view to obtaining a ruling from the ECJ on the validity of the EU standard contractual clauses. As the EU ‎standard contractual clauses were established by decision of the European Commission, it is the ECJ ‎alone which can declare it invalid.‎

The case is currently being argued before the Irish High Court.‎

Norrbom Vinding will follow the case and report on any developments.

Norrbom Vinding notes

  • that a large part of data transfers out of the EU to third countries take place on the basis of the EU ‎standard contractual clauses, as this is an easy and convenient way of ensuring compliance with EU law; ‎and
  • that, accordingly – if the EU standard contractual clauses are ruled invalid as a transfer basis – the case in ‎Ireland may have quite far-reaching implications and constitute a major challenge to data transfers out ‎of the EU to third countries such as the US, India and China.‎

The above article is intended for general information only and does not constitute legal advice.


Data protection