International Data Transfers – Again

Remember how the whole point of the Schrems litigation was that the Irish Data Protection Commissioner wasn’t doing enough (/anything) to query the protections available for data subjects in the US under the Safe Harbor scheme? Well, with the zeal of the convert – or alternatively, on the basis of once bitten, twice shy – the Irish DPC has now announced that its new-found energy encompasses a desire to call into question the compatibility of US data transfers under the approved Standard Contract Clauses, in the light of the Schrems judgment.

The DPC’s press release does not quite make clear what approach it has adopted, but states that it is going to asking for declaratory relief on the point from the Irish High Court and a reference to the CJEU. As this blog has repeatedly noted, the reassuring noises made by the European Commission, the Article 29 Working Party and some national regulators, as well as various practitioners, about the ongoing validity of Standard Contract Clauses has always had more of a ring of practicality-driven optimism than principle about it. If the US system does not provide sufficient protections despite Safe Harbor, particular in the light of Governmental data-gathering, it is hard in the abstract to see how a contractual term might fill that gap. And are Binding Corporate Rules any better? But either way, it will certainly be interesting to see how the point is dealt with now it has been taken, and kudos to the Irish DPC for recognising that there is a real problem. Crossing one’s fingers and hoping no-one complains before the Privacy Shield takes effect is not a good enough answer.

Speaking of the Privacy Shield, readers may also wish to note the further sceptical voice of the European Parliament, which has just overwhelmingly passed a non-legislative resolution which sets concerns about a number of perceived “deficiencies” in the Privacy Shield proposal and calls on the Commission to rectify them. Given the length of time it took to come with the Privacy Shield, the ability of the Commission to secure improvements must be open to some doubt, but the calls for it to do so are increasing.

Christopher Knight