• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

Update: Schrems II

12 July 2019

Following the Irish Supreme Court's rejection of Facebook's appeal to withdraw the Irish High Court's referral to the European Court of Justice (ECJ), the Schrems II case has now been heard by the ECJ.

Background

The Schrems II case follows on from Schrems I, in which the ECJ - following a complaint by Austrian student Max Schrems about the flow of personal data between Facebook in Ireland to Facebook in America and subsequent processing of that data by US surveillance authorities - declared the "Safe Harbour" provisions for transferring data between the EEA and the USA invalid.

With "Safe Harbour" declared invalid, many undertakings began to rely on the "Standard Contractual Clauses" (SCCs, also known as Model Clauses) as a basis for transferring personal data outside of the EEA. Please see our other article 'Restricted Transfers and Model Clauses' for more information on this topic.

Following Schrems I, and the invalidation of "Safe Harbour", the Irish Data Protection Commissioner (DPC) investigated the alternative potential legal basis for transfers outside of the EEA. The DPC concluded that the SCCs may also not be valid and instigated proceedings in the Irish High Court, which subsequently referred several questions to the ECJ on the validity of the European Commission decisions approving the SCCs.

 

So, what's happened so far?

 

Latest Update

In Schrems II, the High Court questioned the compatibility between the SCCs and the protections under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter Rights).

The questions referred to the ECJ included whether the Charter Rights apply to personal data that has been transferred to the USA in the knowledge it may be processed by USA security services. Facebook had argued that such processing was necessary for national security, which is one of the derogations from the Charter Rights permitted by EU data protection law.

Further, the High Court questioned whether the SCCs provide inadequate protection to the Charter Rights when data is transferred to the USA, as EU data subjects' remedies for unlawful processing in the USA are significantly limited.

Other key issues referred to the ECJ included the level of protection required under the SCCs; how to measure violations of data protection rights when data is transferred outside of the EEA; and by which standard the adequacy of the recipient country's data protection laws are measured.

Facebook took the matter to the Irish Supreme Court to appeal the High Court's decision and for an order that the High Court had erred in certain findings of fact. The Supreme Court found that the decision to amend or withdraw a reference to the ECJ could only be made by the Court which had originally made that reference – in this instance, the High Court. The Supreme Court would only be able to overturn findings of fact that were incompatible Irish Law, not the reference itself. When considering appeals on findings of fact, the Supreme Court noted that it could only consider a limited number of Facebook's grounds of appeal, as a number of the grounds involved a direct appeal against the reference to the ECJ or the text of the reference, and, as noted above, this was not a matter for the Supreme Court to decide. On the remaining grounds of appeal, the Supreme Court considered that Facebook's issues were not with the facts themselves, but rather with the characterisation of those facts. The Supreme Court was therefore not satisfied that it could properly justify overturning any finding of fact by the High Court, and the appeal was dismissed.

The ECJ hearing took place on 9 July, with a non-binding opinion due to be published on 12 December 2019, and a full decision expected early in 2020.

Businesses should keep a watching brief on these developments, as the impact of any decision on the validity of the widely used SCCs as an adequate safeguard for transferring personal data to a "third country" is likely to be significant. This would be particularly so in the event of a no-deal Brexit, at which point the UK itself would become a "third country". Please see our article 'Data Protection and a No-Deal Brexit' for further information on the data protection implications of a No-Deal Brexit.

 

Written by Tim Howden

Further Reading

We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

Manage cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

Functional cookies

(Required)

These cookies let you use the website and are required for the website to function as expected.

These cookies are required

Tracking cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing cookies

These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.