Your privacy is important to us.
This website uses cookies to help deliver its services. By using this website, you agree to the use of cookies as outlined in our Cookie Policy.
Background
The name Max Schrems is now as familiar to privacy professionals as the term GDPR. The Austrian lawyer and privacy activist has been instrumental in challenging data transfers from the EU to the US since 2013 when he first launched a challenge in Ireland against Facebook’s transfer of his personal data to the US. Mr Schrems argued that in light of the Edward Snowden revelations, US law could not adequately protect his data from surveillance by the US authorities. Facebook had relied on the EU/US Safe Harbour Agreement to transfer data to the US but as a result of the first Schrems case the Safe Harbour Agreement was declared invalid in 2015.
By 2016 Safe Harbour was replaced by another EU/US mechanism, the Privacy Shield, and Facebook moved from relying on this adequacy mechanism to using Standard Contractual Clauses (SCCs) as the legal basis for data transfer to the US. However, privacy concerns remained and Mr Schrems reformulated his complaint to the Irish Data Protection Commissioner to include a challenge to SCCs.
Decision
The Irish High Court referred a number of questions to the Court of Justice of the European Union (CJEU) which handed down its decision on 16 July 2020. The CJEU ruled that:
Given that over 5,000 organisations participate in the Privacy Shield and thousands more rely on the Privacy Shield when transferring data to these organisations, the judgment will have an immediate impact. Whilst SCCs remain valid, the ruling also highlights that SCCs should be used carefully and not without a careful analysis of whether the recipient jurisdiction has adequate data protections in place.
What are the implications of this decision for businesses involved in cross border data transfer?
The European Commission is currently working on updating SCCs and further guidance in the aftermath of the Schrems decision in likely to come from the European Data Protection Board. However, given that the crux of the problem lies with the laws of the receiving country rather than the instrument for transfer, it is difficult to see how the issue can be satisfactorily resolved.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Potection team at Cleaver Fulton Rankin for further advice or information.
Call us on the Belfast number below or send us a message and one of our team will be in touch.
028 9024 3141