The Court of Justice of the European Union (the “CJEU”) has heard arguments from Facebook Ireland Ltd. and Maximillian Schrems, concerning whether US surveillance activities can violate the fundamental rights of EU citizens and hence affect the validity of the transfers of personal data from Ireland to the US through means of SCCs.
Case C-311/18 or “Schrems II” is a sequel to the complaint made just six years ago by Austrian lawyer and data privacy campaigner, Max Schrems. In connection with Facebook and transfers of personal data to the U.S.
In 2013, Max Schrems brought a complaint to the Irish Data Protection Commissioner (the “Irish DPA”,) which shortly after, was referred to the CJEU. The complaint was about an adequacy question surrounding the EU/US ‘Safe Harbour’ framework that was in place, and whether or not the framework provided sufficient protections in relation to the US’s surveillance practices towards the personal data of non-nationals.The CJEU found in 2015 that the Safe
Harbour framework did not adequately protect the privacy rights of those Europeans whose data was shared to Facebook Inc. Consequently, it declared Safe Harbour invalid.
Following the outcome of Schrems I, organisations could no longer rely on Safe Harbour as means to legitimize personal data transfers and sought alternative mechanisms in the form of Standard Contractual Clauses (“SCCs). In 2016, the EU Commission replaced Safe Harbour with ‘Privacy Shield’ in light of the Shrems I case.
In Schrems II, Max Schrems has issued a new complaint to the Irish DPA, taking a similar approach to SCCs as that taken with Safe Harbour. The fundamental concern is whether or not the US will be able to carry out surveillance of EU citizens’ data, and what protections are afforded to those citizens. It is likely therefore, that Privacy Shield will also come under close scrutiny.
The case was initially brought before the Irish High Court, where 11 questions were subsequently referred to the CJEU for a preliminary ruling. The CJEU’s Advocat General is expected to issue a non-binding opinion in December 2019 with a full decision of the CJEU in 2020.
For now, and prior to Brexit both SCCs and Privacy Shield remain valid mechanisms whilst the CJEU makes a decision on the outcome of the case. However, the full decision which is expected in early 2020 will be critical in determining which mechanism(s) an organisation may rely on as means to legitimize its transfers of personal data outside of the EEA.
Invalidation of SCCs and/or Privacy Shield could heavily impact companies that wish to transfer personal data, due to the narrowing scope of mechanisms available. This follows on from a challenge recently by a French company to Privacy Shield which has been put on hold until the outcome of the above.