Commentary on the Schrems II ruling: “Serious implications”

The Court of Justice of the EU (CJEU) today handed down its judgment in the long-awaited case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, commonly referred to as Schrems II).

The CJEU declared the EU-U.S. Privacy Shield framework to be invalid as a mechanism for transferring personal data to the U.S. It also held that the more widely-used Standard Contractual Clauses remain valid, but businesses must verify whether the overall context of the transfer (including the destination country) offers appropriate safeguards to individuals’ personal data and require EU data protection regulators to suspend or prohibit transfers where such appropriate safeguards cannot be provided.

Please see commentary on the case below. If you would like to speak with one of our lawyers, please let us know.

Commenting on the case, Sabine Fehringer, partner at global law firm DLA Piper in Vienna, said:

“Today’s judgment has serious implications on the transfer of personal data outside the EU and is a wake-up call for EU businesses. For those businesses that previously relied upon Privacy Shield, an alternative transfer mechanism must be found. However, before using Standard Contractual Clauses, which are the most commonly-used alternative transfer mechanism, businesses will need to verify the existence of appropriate safeguards, taking into consideration the real-life risks of such transfer, within the context of the sector / industry and other relevant factors including the destination country. This will also apply for businesses currently using Standard Contractual Clauses. EU data protection authorities will have the unenviable task of determining the sufficiency of appropriate safeguards and is likely to trigger a further round of political discussions between the EU and U.S.”

Background

• For background, the GDPR regulates the transfer of EU personal data, requiring a valid transfer mechanism under Chapter V GDPR to be in place. Such mechanisms include adequacy decisions of the European Commission (such as Privacy Shield) and appropriate safeguards (such as Standard Contractual Clauses). Standard Contractual Clauses are the most commonly-used transfer mechanism.
• This is not the first time the CJEU has invalidated a transfer mechanism. In 2015, the CJEU invalidated the EU-U.S. Safe Harbor framework (the predecessor to Privacy Shield) in a case commonly referred to as Schrems I, a complaint by the same individual as in the current case. At the heart of Schrems’ complaint was the fact that U.S. surveillance laws did not offer adequate protection for EU personal data.
• If cross-border personal data flows were seriously disrupted or stopped, the negative impact on EU GDP could reach between - 0.8% and - 1.3%, according to evidence submitted by the BSA Software Alliance. This would be equivalent to roughly 3-4x the economic decline that Europe experienced during the 2012 economic downturn.
• DLA Piper has over 180 experience data protection, privacy and security team members located in countries across EMEA, Asia Pacific and the US. Our lawyers work together to advise some of the world’s leading brands and corporations on international data protection and compliance issues, working independently or alongside consultants. We are deeply involved in the evolution of data protection and privacy law at an international level. The firm is designing a methodology to help clients navigate the resulting challenges that today’s judgement presents.