Ahead of the highly anticipated decision of the Court of Justice of the European Union in data protection, on Thursday, July 16th, this is a brief summary of where we stand so far:
Schrems I
In 2013 Mr. Maximilian Schrems, objected to his personal data being sent by Facebook Ireland to servers in the U.S, as they did not receive sufficient protection, challenging the validity of the European Commission’s “Safe Harbour” scheme on data transfers from the EU to the U.S.(“adequacy exemption decision”). As a result of Mr. Schrems’ complaint, the CJEU invalidated the Safe Harbour principles, ruling that the law and practice of the U.S. do not offer sufficient protection against surveillance by the public authorities (C362/14).
The Safe Harbour scheme was subsequently replaced by the EC’s “EU-U.S. Privacy Shield”, a similar self-certification scheme for U.S. based organisations receiving personal data from an EEA transferor.
Schrems II
Another exemption ground for personal data transfer out of the EEA is the provision of “appropriate safeguards”. Such condition is deemed to be met when organisations carrying out international personal data transfers use, in full and without amendment, the so called “Standard Contractual Clauses” (SCCs) approved by the European Commission.
In 2018, Mr. Schrems challenged the validity of both EC decisions on Privacy Shield and the SCCs as, according to Mr. Schrems, data transfers made according to those decision infringe the EU data protection law (Case C-311/18).
In December 2019, the CJEU’s Advocate General released its non-binding opinion, stating that SCCs remain a valid way to transfer personal data outside of the EEA. However, it remains to the exporter’s responsibility to assess, prior to the transfer, whether the SCCs can be complied with, taking into account whether the national security, communication and surveillance laws of the country of the data importer are “essentially equivalent” to those in the EU. It is also anticipated that the CJEU’s judgment will provide further insight on the validity of the U.S. Privacy Shield regime.
The CJEU has announced that it will deliver its judgment in the Schrems II case on 16 July 2020.
© Logaras Law (2023). All contents on this website, including logos, trademarks, texts, newsletters and articles (hereinafter the “Contents”), are protected under intellectual property law. Except where otherwise stated, use, downloading, reproduction and distribution in whatever form and by whatever medium (including Internet) for whole or part of the Contents available on this website and newsletter is not authorized.