On July 9, 2019, the European Court of Justice (CJEU) heard oral arguments on a landmark case concerning Facebook’s transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. The CJEU’s decision — will have tangible consequences for businesses performing data transfers from the EU to the US — is expected in December 2019.
By way of background. In 2013 Mr. Schrems demanded the suspension of data flow from Europe to the USA, on the assumption that the U.S. Government does not protect personal data from surveillance programs like PRISM and the protection afforded is consequently insufficient to allow EU-US data flows.
On October 6, 2015, the CJEU issued its decision in C-362/14 (Maximilian Schrems v. Data Protection Commissioner) and declared the Safe Harbour Decision (Decision 2000/520/EC) invalid. The Irish Data Protection Authority (DPA) had to investigate and decide whether the transfer of data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection. See here.
In 2016, instead of deciding over the complaint, the Irish DPA initiated a proceeding before the Irish High Court against Facebook Ireland Ltd. and Mr Schrems to refer a question to the CJEU to determine if Facebook can continue to transfer data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. See here.
The Irish High Court found that the US government had engaged in “mass processing” of Europeans’ personal data and referred 11 preliminary questions to the CJEU, Case C-311/18.
Facebook tried to block the reference made by the Irish High Court to the CJEU, but on May 31, 2019, the Irish Supreme Court dismissed Facebook’s appeal (see Irish High Court’s decision here).
On July 9, 2019, the CJEU held an oral hearing in respect of the reference made to it by the Irish High Court. 15 judges heard the Irish Data Protection Authority, Mr. Schrems and Facebook oral submissions.
Four amicus curiae (the USA, EPIC, BSA Business Software Alliance Inc. and Digital Europe), the European Parliament, the European Commission and 10 Member States (Austria, Belgium, Bulgaria, Czech Republic, Germany, Ireland, Netherlands, Poland, Portugal and the United Kingdom) also made oral submissions at the hearing before the CJEU. Additionally, the CJEU has invited the European Data Protection Board (EDPB) to address the CJEU on specific issues.
According to this source, the CJEU announced that would issue an opinion on December 12, 2019. The decision will have tangible consequences for all businesses dealing with this type of data transfers.
After the ECJ judgment, the Irish DPA will have to decide the original complaint filed by Schrems. The decision could be appealed before the Irish Court.
More on Case C-311/18, Facebook Ireland and Schrems is available at http://curia.europa.eu…
More on the ECJ’s Schrems decision here.
More information on the case brought by the Irish DPA against Facebook Ireland Ltd and Mr Schrems over EU-US data transfers is available here.
EPIC’s Update on the case can be found here.
The Irish Data Protection Commissioner’s latest update on the case can be found here.
More information on the case Data Protection Commissioner -v- Facebook Ireland Ltd & anor is available here.
If your organization would like to receive assistance ON THE GDPR, feel free to contact us at: http://www.cgcfirm.com/contacts/
Originally published on Technethics on July 2019