| CMS Belgium | The Wire - Your Technology, Media & Communications Update | 20 December 2019 | ||||
 |
||||
|
||||
| EU Advocate-General opinion hints Europe’s top court is unlikely to disrupt international data flows in pending decision |
On 19 December 2019, Advocate-General Henrik Saugmandsgaard Øe (AG), a senior legal adviser to the EUs Court of Justice (CJEU), delivered an opinion (Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) in the Schrems II case, which concerns data transfers to the United States using EU Commission-approved standard contractual clauses (SCCs). The Schrems II case is a follow-up to the Schrems I case in which the CJEU declared the Safe Harbour framework invalid as a mechanism to lawfully transfer personal data from the EU to the US. Although the AG’s Opinion does not bind the CJEU, it gives a discernible indication of the direction the CJEU’s judgement will take. Why is this case important? The focus of this case is on the validity of the SCCs as a mechanism to lawfully transfer personal data from EU-based companies to organisations based outside of Europe. In addition, this case may have significant consequences for the validity of the EU-US Privacy Shield Framework. Many European businesses rely on these mechanisms to lawfully transfer personal data to the US. Therefore, should the CJEU decide that either one or both transfer mechanisms are invalid, many businesses will have to implement alternative solutions to be able to continue sharing personal data internationally. One such alternative is the Binding Corporate Rules (BCR), which would require considerable time and effort to implement and maintain. Schrems I In 2013, Edward Snowden disclosed that the US National Security Agency conducted mass surveillance on important US internet companies. Following these revelations, Max Schrems, an Austrian privacy-activist, filed a complaint against Facebook with the Irish Data Protection Commissioner (DPC). Schrems claimed that the transfer of his personal data by Facebook Ireland to US-based Facebook Inc. violated EU law. He argued that the Safe Harbour framework, an EU Commission-approved mechanism for EU-based organisations to lawfully transfer data to US-based organisations, also violated EU law. The case ended up before the CJEU for judicial review after the Irish High Court asked several preliminary rulings. On 6 October 2015, the CJEU ruled the Safe Harbour mechanism to be invalid. Therefore, the Safe Harbour mechanism could no longer be used as a basis for transferring personal data to US-based organisations. Schrems II Following this judgement, Schrems filed another complaint against Facebook with the Irish DPC, this time arguing that Facebook could not use SCCs to transfer data from Facebook Ireland to Facebook in the US. In the meantime, the EU and the US had started negotiations on a mechanism that would replace the Safe Harbour framework, which was ultimately dubbed the EU-US Privacy Shield. Insisting that US law does not provide adequate legal remedies to EU data subjects when their personal data is accessed by US authorities, Schrems asked the DPC to use its powers under Article 4 SCCs to suspend the EU-US data flows from Facebook’s Irish operations to the US. The DPC did not comply with this request and questioned the validity of SCCs. Schrems’ complaint again ended up before the Irish Supreme Court, which referred the case – Schrems II – to the CJEU for a preliminary ruling. EU-US Privacy Shield In discussing the first question, the AG stated that the CJEU does not need to rule on the validity of the Privacy Shield to allow the Irish High Court to decide the case. Nevertheless, should the CJEU consider the validity of the Privacy Shield relevant, the AG gave an opinion that hints at the invalidity of the Privacy Shield. The AG questioned whether the extrajudicial control mechanisms set up by the US government provide sufficient guarantees to ensure an adequate level of protection for personal data. More specifically, the Privacy Shield provides an Ombudsman as an additional redress avenue for individuals whose data has been transferred from the EU to the EU. The AG, however, expressed doubts about the ability of that mechanism to compensate for any inadequacies in judicial protection. Will the CJEU invalidate the SCCs? Unlikely. The AG stated he saw no grounds for invalidating SCCs. Although the CJEU is not bound by the AG's opinion, we think it is unlikely the CJEU would depart from it. Pending the CJEU’s decision, the SCCs continue to be a valid ground for transferring data internationally. Will the CJEU invalidate the Privacy Shield? This is hard to predict. Schrems II is essentially about SCCs, and not the Privacy Shield. The CJEU may limit its verdict to the validity of SCCs and refrain from taking any position on the Privacy Shield. Note that another case (Case T-738/16 La Quadrature du Net v Commission) is pending before the EU’s General Court (previously the Court of First Instance) in which the validity of the Privacy Shield is being directly challenged. The General Court announced in June 2019 that it would suspend the proceedings in La Quadrature du Net to await a judgement of the CJEU in Schrems II. Therefore, the AG's opinion and the CJEU’s ultimate decision within the next six months are likely to have significant impact on the General Court’s verdict on the validity of the Privacy Shield. For more information on this opinion, feel free to contact your usual CMS advisor or local CMS experts: Janick Van Daele, Thomas Dubuisson, or Tom De Cordier. |
|
||||||||||||||||||||||||||||||||
| CMS DeBacker, Chaussée de La Hulpe | Terhulpsesteenweg 178, 1170 Brussels, Belgium T +32 2 743 69 00 – F +32 2 743 69 01 CMS DeBacker, Uitbreidingstraat 2, 2600 Antwerp, Belgium T +32 3 206 01 40 – F +32 3 206 01 50 CMS DeBacker Luxembourg, rue Goethe 3, L-1637, Luxembourg T +352 26 27 53-1 – F +352 26 27 53-53 CMS DeBacker is a member of CMS, the organisation of independent European law and tax firms. CMS provides a deep local understanding of legal, tax and business issues and delivers client-focused services through a joint strategy executed locally across 43 jurisdictions with 75 offices in Europe and beyond. CMS was established in 1999 and today comprises ten CMS firms, employing 4,800 lawyers and is headquartered in Frankfurt, Germany.
CMS locations: Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bogotá, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Funchal, Geneva, Glasgow, Hamburg, Hong Kong, Istanbul, Kyiv, Leipzig, Lima, Lisbon, Ljubljana, London, Luanda, Luxembourg, Lyon, Madrid, Manchester, Mexico City, Milan, Monaco, Moscow, Munich, Muscat, Paris, Podgorica, Poznan, Prague, Reading, Rio de Janeiro, Riyadh, Rome, Santiago de Chile, Sarajevo, Seville, Shanghai, Sheffield, Singapore, Skopje, Sofia, Strasbourg, Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich.
Unsubscribe from all our Technology, Media and Communications-related newsletters. To unsubscribe from all mailings sent by CMS Belgium, please send an email to privacy@cms-db.com. For our full privacy policy, please click here. www.cms.law |