<iframe src="//www.googletagmanager.com/ns.html?id=GTM-5T7PGR" height="0" width="0" style="display:none;visibility:hidden">

FROM THE BLOG

Is there a new chapter for the EU and its data transfer rules on the horizon?

Posted by on 19 December 2019

Max Schrems, an Austrian privacy activist, has brought yet another data protection case to the Court of Justice of the European Union (CJEU). The outcome of this case will be decisive for everyone who transfers data to non-EU countries. The decision in the case has the potential to force a wide range of businesses to make huge changes in their data management.

Privacy-ShieldThe current case, which is commonly referred to as Schrems II, is the sequel case to the Schrems I case, which resulted in the invalidation of the Safe Harbour Framework for the data transfer between the European Union (EU) and the USA. Schrems II may cause the CJEU to consider the validity of both the European Commission Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield.

The Advocate General's opinion, issued today, has been keenly awaited as a first indication of the direction the CJEU decision may take. The SCCs are likely to remain as a valid safeguard for international data transfers. The Privacy Shield mechanism however faces a very uncertain future.

1. What has happened so far?

Max Schrems is a privacy activist who is concerned about the cooperation between US companies and US intelligence agencies, particularly about Facebook sharing personal data of EU residents with the US National Security Agency. The fundamental argument before the CJEU has been the alleged power of the US to carry out mass surveillance of EU residents' personal data without justification. These concerns led to the Schrems I case and the invalidation of the Safe Harbour Framework in 2015. This framework was a mechanism that legitimised data flows from the EU to the US.

The decision was based, in particular, on the fact that the US legislation did not limit interference with an individual's rights to what is strictly necessary, but allowed the bulk collection of personal data transferred to the US. The legislation did not contain any objective criteria for determining limits to such access and the subsequent use of this personal data by public authorities. After the invalidation of the Safe Harbour Framework, the Irish Data Protection Authority requested Max Schrems to amend his complaint leading him and his team to challenge the EU Standard Contractual Clauses, which is an alternative mechanism to legitimise data flows to non-EU countries.

Max Schrems used a similar argumentation for his second challenge as in the Schrems I case. The Irish Data Protection Authority then brought the case to the Irish High Court, which in turn referred 11 questions to the CJEU for a preliminary ruling. This preliminary ruling is now referred to as the Schrems II case.

2. What happened during the CJEU hearing of 9 July 2019?

The hearing in the Schrems II case took place at the CJEU in Luxembourg, where the main parties presented their arguments. The main parties in the proceeding are the Irish Data Protection Commissioner, Facebook Ireland Ltd. and Max Schrems. Moreover, many stakeholders such as the European Data Protection Board and several Member States have intervened in the proceedings.

During the hearing of 9 July 2019, the SCCs were widely discussed and it was stated by many parties - including Max Schrems' legal team - that the SCCs should not be invalidated but that the SCCs should be (better) enforced. It was argued that without enforcement, the SCCs were not suited to provide adequate safeguards.

They also discussed the EU-US Privacy Shield, where there seemed to be a stronger tendency among the parties to push for invalidation of the mechanism.

3. What is the Advocate Generals opinion?

Until the judgement is rendered, the Advocate General's opinion may serve as an indication on whether or not the EU-US Privacy Shield and/ or the SCCs will be declared invalid.

In the opinion of the Advocate General of 19 December 2019 the SCCs are valid. The analysis of the questions submitted to the CJEU has disclosed nothing which may affect the validity of the SCCs. He further explained that the CJEU is not required to rule on the validity of the Privacy Shield mechanism, since this is not part of the dispute at hand. Nevertheless, the Advocate General set out the reasons that lead him to question the validity of the Privacy Shield and the mechanism contained therein.

4. What will happen next? And what does this mean for my business?

The CJEU will have to render a judgement at the beginning of 2020, which may disrupt the status quo on how to deal with data transfers. The CJEU also has a case before it specifically concerning the Privacy Shield.

For now, the existing mechanisms for data transfers remain valid and the Advocate General recommends that this stays the same for the SCCs. Nevertheless, the Attorney General's opinion indicates that the lawfulness of the Privacy Shield mechanism may be rejected in the near future, which will likely lead to a heavier reliance on the SCCs.

In the case that the CJEU invalidates the SCCs and the Privacy Shield framework, businesses would have to rely on alternative mechanisms for their data transfers to third countries.

The EU General Data Protection Regulation (GDPR) provides for three alternative safeguards, namely:

  • An adequacy decision by the EU stating that a country has an adequate level of data protection. Switzerland, for example, currently benefits from an adequacy decision;
  • Binding Corporate Rules; and
  • A narrow list of derogations where data transfers are permitted to countries where there is no adequacy decision in place (for example, in order to protect life and health).

Currently, there is no readily available alternative to the SCCs and the EU-US Privacy Shield. For your business, this means that you will have to take immediate action following a decision that these mechanisms are invalid.

We recommend that you check that you have:

  • analysed your data flows;
  • considered alternatives to the SCCs and/ or the EU-US Privacy Shield;
  • been in touch with your service providers to ask what contingency plans they have in place; and
  • briefed your management and other key stakeholders about the situation.

Nevertheless, keep in mind that for now nothing has been decided and that we will only know for sure once the CJEU renders its judgement.

We will closely follow the case to keep you updated on the newest developments. If you have any questions, our data protection team is happy to assist.

 

If you liked this article, you might be interested in reading about:

Shedding some light on the territorial scope of the GDPR, by Nicola Benz and Cornelia Mattig

Checklist for a controller and processor agreement under the GDPR, by Nicola Benz and Ronald Kogens

Checklist Privacy Policy under the GDPR, by Nicola Benz and Cornelia Mattig

Simple in theory, complex in practice: the dual role as controller and processor under the General Data Protection Regulation, by Nicola Benz and Ronald Kogens 

Check for GDPR Compliance and receive a customised list of next steps for free, by Ronald Kogens and Nicola Benz

 

Photo: istockphoto / Arkadiusz Warguła


Topics: Corporate & Commercial | Data Protection | Intellectual Property

  
Name 13

Nicola Benz

Nicola Benz’s practice is focused on technology and life sciences transactions. She assists technology companies of all sizes, from start-ups to established players, as well as investors, suppliers and customers across a broad range of industries and sectors. Nicola Benz’s expertise covers outsourcing, licensing, joint ventures and collaborations and associated intellectual property issues. She also has considerable experience advising on all types of commercial contracts, competition and regulatory issues and data protection. Nicola Benz is recognised as a globally leading patent and technology licensing lawyer, as well as a leading practitioner in the field of intellectual property. Chambers Europe (2018) ranked her as leader in the fields of Intellectual Property and Life Science, and she was recommended in the 2018 edition of the Legal 500 EMEA for Intellectual Property as well as TMT matters. She has also been named as a thought leader for data law in the publication "Who's Who Legal 2018". Born in Scotland, Nicola obtained her law degree from the University of Edinburgh (LLB Hons) in 1997. She joined our firm as an associate in 2002 and became a partner in 2010. Since 2017 she has been the managing partner of our firm. Her working languages are English and German. Nicola is a member of the Zurich Bar Association, the International Trademark Association (INTA), the Licensing Executives Society (LES) and the International Technology Law Association (iTechLaw).

Connect with me:
Name 13

Cornelia Mattig

Cornelia Mattig specialises in data protection and intellectual property law, as well as corporate and commercial law issues. Cornelia Mattig joined Froriep as an associate in 2018. Before joining Froriep, Cornelia Mattig trained with firms in Ireland, Germany and Switzerland as well as at the District Court of March in the Canton of Schwyz. After she passed the Bar exam in the Canton of Schwyz, she worked as a notary public and lawyer in an accounting and auditing firm. She graduated from the University of Zurich with a Master of Law (Business Law) in 2014 before obtaining her LL.M. in European Law at Queen Mary University of London in 2017. She was admitted to the Bar in 2018. She also holds a Data Protection Officer Certificate from the University of Maastricht. Her working languages are German and English.

Connect with me:
https://blog.froriep.com/hubfs/IMAGES_BLOGPOST_850x850/Privacy-Shield.jpg