Last week, the High Court of Ireland submitted eleven questions to the Court of Justice for the European Union (CJEU) to consider about the personal data transfer regime between the European Union (EU) and the United States. This referral stems from a new claim by Max Schrems, an Austrian lawyer and privacy activist. Schrems previously challenged the adequacy of the U.S. Safe Harbor data transfer regime to protect EU personal data transferred by technology companies and affiliates in Ireland (including Facebook) to the United States. In 2015, the CJEU struck down the U.S. Safe Harbor as a valid mechanism to transfer data to the US as a result of a referral from the Irish High Court arising from Schrems’ prior lawsuit.
Schrems’ new claim specifically challenged whether EU’s standard contractual clauses (SCCs) adequately protect EU personal data transferred from Facebook’s Irish entity to the United States. Schrems’ concern is that EU personal data transferred by Facebook to the U.S. under the SCCs could be accessed by the National Security Agency as part of the NSA’s mass surveillance programs.
However, the Irish High Court’s eleven question referral to the CJEU was much broader than questioning just the adequacy of SCCs. The CJEU is being asked to consider the adequacy of the Privacy Shield mechanism (adopted in 2016 as a replacement to the EU-U.S. Safe Harbor) as well as SCCs, to address how to resolve conflicts between conflicting country data protection rules and regulations, as well as violations of individual rights caused by surveillance law and the authority of data protection authorities to suspend cross border data transfers, particularly based on concerns about mass surveillance law.
Additionally, in the EU Article 29 Data Protection Working Party’s (WP29) first annual review of the Privacy Shield data transfer mechanism, it called for an appointment of a permanent Privacy Shield ombudsperson in the U.S. among other protective safeguards. The WP29 requested that the U.S. address these safeguards by May 25, 2018, when the GDPR, the EU’s new data protection law comes into effect. To date, the U.S. has not addressed the WP29’s concerns. If anything, US extension to FISA earlier this year may have created more questions, as it is did not include privacy protections for foreigners’ data. While CJEU’s response to the eleven questions is not likely to be issued for months, significantly higher fines for violations of the GDPR are possible beginning on May 25.