Schrems II case: EU to U.S. transfers of personal data challenged
- Articles and memoranda
- Posted 29.01.2020
For an outlook of the latest development as at July 2023 in relation to transfers to the US, please read our article about the New EU adequacy decision allowing personal data transfers to US self-certified entities!
On 9 July 2019 the hearing of the Schrems II Case (C311-18) took place at the Court of Justice of the European Union (“CJEU”) in Luxembourg.
Max Schrems, well-known for having caused the invalidation of the Safe Harbour Privacy Principles, is currently challenging the EU to U.S. data transfers operated by Facebook on the basis of the decision 2010/87/EU of the European Commission relating to the controller to processor Standard Contractual Clauses (“SCCs”). He lodged a complaint with the Irish data protection authority (the “DPC”) concerning the transfer of his personal data by Facebook Ireland Limited to its parent company located in the U.S. According to Mr. Schrems, the social network company is violating the EU data protection law by allowing U.S. authorities to access his personal data. The DPC decided to bring proceedings before the Irish High Court since the solution depended on the validity of the SCCs. The DPC referred 11 questions to the CJEU for a preliminary ruling.
The Court also took into account opinions received from various stakeholders including the U.S government, representatives of the European Commission, the European Parliament, the European Data Protection Board, some Member States and the Electronic Privacy Information Center as well as different lobby groups.
The main discussions concerned the validity of the SCCs under the EU data protection law, national security concerns, compliance of the U.S. law with the EU Charter of fundamental rights, and the level of protection of personal data provided by the Privacy Shield framework (the latter being challenged before the General Court in Case T-738/16 - La Quadrature du Net and Others v Commission, the hearing of which has been postponed until the CJEU takes a decision on the Schrems II case).
Most of the parties, including the European Commission, the governments of Ireland and France, the industry associations and even Mr. Schrems, argued that the SCCs should not be invalidated (even if Mr. Schrems challenges the U.S. surveillance linked to these transfers).
According to them, even if the laws of third countries do not provide adequate protection for the personal data, the parties to the SCCs take the responsibility for providing appropriate safeguards such as the existence of data subject rights, the obligations of the exporter and the importer to ensure compliance with the EU law. They also insist on the important role of the data protection authorities in enforcing the SCCs. They pointed out in particular that the invalidation of the SCCs would have a serious negative impact on the competitiveness and on the daily functioning of EU companies.
The Advocate General delivered its Opinion on 19 December 2019.
It confirms the validity of the SCCs notably because they oblige the exporter to suspend or prohibit transfers where it is apparent that the laws of the destination country would prevent the parties from complying with their obligations under the SCCs.
Therefore, before relying on SCCs, the parties should assess all the circumstances of the intended personal data transfers to ensure that they are in a position to comply with their obligations.
The Court will deliberate and deliver a judgement in due course. The Court is not bound by the Advocate General's observations, which will nevertheless be taken into consideration.
Elvinger Hoss Prussen will of course inform you of the outcome of the CJUE decision.
This may also interest you :