CJEU Ruling On Schrems II

Two of the most important international privacy cases in recent history arose from a complaint against Facebook by Max Schrems, an Austrian PhD student and privacy activist. He lodged a complaint with the Irish Data Protection Commissioner (DPC) relating to data Mr Schrems provided to Facebook which was transferred from Facebook’s Irish subsidiary (Facebook Ireland) to Facebook’s servers in the United States (Facebook Inc.).

For background to Schrems I, click here

As a result of the Schrems I ruling, Mr Schrems reformulated and resubmitted his complaint to take account of this event. The DPC then examined Mr Schrems’ complaint in light of certain articles of the EU Charter of Fundamental Rights (the Charter), including Article 47 (the right to an effective remedy where rights and freedoms guaranteed by EU law are violated).

The DPC’s draft finding highlighted that a legal remedy compatible with Article 47 of the Charter is not available in the US to EU citizens whose data is transferred to the US where it may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter. The DPC also formed the preliminary view that Standard Contractual Clauses (SCC) which were used to legitimise the transfer of personal data of EU citizens to the US, do not address this lack of an effective Article 47-compatible remedy.

The Irish Data Protection Commission referred the case to the Irish High Court and the High Court, in turn, referred the case to the CJEU in 2018. This ruling is now referred to as Schrems II.

The CJEU issued its judgment on 16th July 2020. In brief:

  • The Privacy Shield was invalidated. Therefore, any organisation relying on the Privacy shield to transfer data will need to find an alternative method. It was invalidated due to the fact that there is no proper oversight regarding the ability of US security and law enforcement agencies to access non-US citizen’s data and the lack of sufficient rights for individuals.
  • The Standard Contractual Clauses (SCCs) held to be valid – with qualifications to ensure adequate data protection. Their use will have to be assessed on a case-by-case basis in particular taking into account the “relevant aspects of the legal system of the [relevant recipient] country”.  The organisation based in the EU sending data out of the EU under the SCCs is responsible for the assessments and potentially putting into place “supplementary measures” (should there be any issue with that regime).  Regulators have to police these assessments.

The European Commission provide SCC templates, and these are currently being modernised to take account of the GDPR and new versions should be available soon.

The Court has categorically clarified that since the domestic laws and surveillance programmes in the US do not meet the test of proportionality or are strictly necessary, therefore its data protection framework is not ‘essentially equivalent’ to the EU’s.

As a result of this landmark judgment, the European Court of Justice has strengthened the case for data protection and in some ways advocated surveillance reform along with a requirement for an adequate data protection framework for countries that hope to have a customer base in the EU. The ruling will also act as a benchmark for other countries which are either reviewing or just introducing data protection frameworks.

A European Data Protection Board taskforce has been established to consider how to apply the court’s ruling.