By Amy Grant, Senior Visiting Fellow, UCLAN Cyprus School of Law
The preliminary, non-binding opinion in a closely watched data protection case will be released by the Advocate General of the Court of Justice of the European Union (CJEU) on Thursday, 19th December. The “Schrems II” case (case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) is a sequel to the first Schrems case (case C-362/14, Schrems v Data Protection Commissioner) that resulted in the invalidation of the EU-US Safe Harbour Framework in 2015. A final decision by the CJEU in the Schrems II case is expected in early 2020.
Both cases concern how Data Protection Authorities should assess the protection of personal data that Facebook transfers from the European Union to the United States for storage and processing, in the context of national security surveillance activities by U.S. agencies that were revealed by Edward Snowden in 2013.
In the Schrems II case, the Irish High Court referred eleven questions to the CJEU for a preliminary ruling. These questions ask for clarification regarding how to determine the adequacy of data protection safeguards when personal data is transferred to a third country outside the European Union, and the extent to which such data can be further processed in the receiving country for national security and law enforcement purposes.
The two most common safeguards that companies use when transferring data from the European Union to the United States are Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Shield (Privacy Shield).
SCCs were defined as a data protection safeguard under the European Union Data Protection Directive in 1995. The Directive’s 2016 successor, the General Data Protection Regulation, also included SCCs as one of the available mechanisms for international data transfers. The SCCs currently in use worldwide have not been updated since 2010.
The Privacy Shield was adopted in 2016 after its predecessor, the EU-U.S. Safe Harbour Framework, was invalidated by the CJEU in the first Schrems case. Under the Privacy Shield, U.S. companies that implement data protection measures meeting specific requirements can self-certify compliance, which allows the transfer of personal data from the European Union to such companies without the use of SCCs.
Several outcomes from the Schrems II case are possible with respect to the use of SCCs:
- The use of SCCs for ensuring data protection in any international transfer may be deemed to provide inadequate protection of data privacy rights; or
- The use of SCCs in general use may be upheld; or
- The use of the SCCs in individual countries or for certain types of transfers may require additional analysis of the receiving country’s laws and protections.
The European Commission is already working to update the SCCs. The final decision in the Schrems II case may significantly accelerate the urgency of these update efforts.
With respect to the Privacy Shield, possible outcomes include:
- The Privacy Shield may be declared to provide inadequate protection of data privacy rights considering U.S. national security surveillance; or
- The Privacy Shield may be upheld; or
- A ruling on the Privacy Shield may be deferred until another case (brought by La Quadrature du Net) is decided by the CJEU.
Next week’s opinion by the Advocate General is expected to help narrow the range of possible outcomes and give data protection practitioners preliminary guidance on how to advise their clients while waiting for the final CJEU decision next year.
For information about ethical and human rights implications (including data privacy) of artificial intelligence and smart information systems, and to give your input on these issues, go to the SHERPA Project.
UCLAN Cyprus School of Law will hold a Data Protection Roundtable on 15th January 2020 to discuss the Schrems II opinion and other legal developments in data protection in 2019. The event is approved for CPD credit by the Cyprus Bar Association.