Irish High Court refers challenge to Standard Contractual Clauses to EU Court of Justice

The Irish High Court has referred the latest legal challenge to the validity of the EU Standard Contractual Clauses (SCCs) to the Court of Justice of the European Union (CJEU). The DMA expects this decision to kick start discussion around the necessary changes to SCCs to reflect the GDPR ahead of these new laws coming into force next year.

The case has come about from a claim made by Max Schrems, who previously successfully challenged the validity to the now defunct Safe Harbor Program between the EU and US. Schrems requested that the Irish Data Protection Commissioner (DPC) declare that the SCCs are invalid, as they do not provide sufficient protection when personal data is transferred outside the EU, to the US and elsewhere.

The Irish DPC decided not to make such a ruling, instead referring the case to the Irish High Court and requesting that the case be referred to the CJEU for a final decision on the validity of the SCCs. This casts some doubt on the future validity of the SCCs, which many organisations rely on in support of transfers of personal data to the US and other countries.

If the CJEU agrees that the existing SCCs don’t provide adequate protection, organisations that rely on them currently will need to implement alternative data transfer mechanisms (for example, US-EU Privacy Shield certification or Binding Corporate Rules).

However, no date for the CJEU’s decision in the case has been set and it is expected to take as long as two years for a final decision to be made. In the meantime, the current version of SCCs will remain valid and with GDPR coming into force in May 2018, the European Commission will need to update the SCCs anyway. As such, the DMA expects this referral to kick-start this process of reviewing SCCs to reflect the GDPR.

The DMA will continue to monitor the progress of the case and lobby the European Commission on behalf of the industry on the implementation of GDPR. If you have any concerns regarding this case or its implications, please contact DMA’s External Affairs Manager, Zach Thornton, via email: Zach.Thornton@dma.org.uk