Tens of thousands of companies which use standard contractual clauses to transfer data from the EU to other parts of the world have an anxious five month wait until Europe’s top court rules whether the process is legal or not.
The move follows a case brought by privacy lawyer Max Schrems, which was heard at the Court of Justice of the European Union (ECJ) this week, primarily against Facebook which uses SCCs for its international data transfers.
SCCs were approved under European Commission decisions of 2001, 2004 and 2010, but concerns over their validity were sparked by claims made by US whistle-blower Edward Snowden that American security services were using SCCs to engage in mass surveillance.
Schrems lodged his first complaint against Facebook’s use of SCCs at the Irish Data Protection Commission in 2013. He continues to argue that these contracts violate Europeans’ fundamental right to privacy. In 2015, Schrems actions led to the demise of the Safe Harbour data transfer agreement that had been in place for 15 years.
After years of legal "ping-pong", the Irish Data Protection Commissioner Helen Dixon referred the case to the Irish High Court, which in turn sent it all the way up to the ECJ in Luxemburg.
The ECJ Advocate General’s opinion is due on December 12, and, although non-binding, such opinions are influential and usually followed by the court’s judges at a later date.
In an analysis of the case, law firm DLA Piper said: "There is a significant risk the [court] will declare these transfer mechanisms as invalid. If this happens, many organisations will be left without any practical solution to legitimise the international transfer of personal data."