On July 9, 2019, the hearing in the so-called Schrems II case (case C-311/18) took place at the Court of Justice of the European Union (“CJEU”) in Luxembourg. The main parties involved in the proceedings, the Irish Data Protection Commissioner (“Irish DPA”), Facebook Ireland Ltd. and the Austrian activist Max Schrems, presented their arguments to the court. In addition, a number of other stakeholders intervened during the hearing, including representatives of the European Parliament, the European Commission, the European Data Protection Board, several EU Member States (including Austria, France, Germany, Ireland, the Netherlands and the UK) and the U.S. government, as well as a number of industry lobby groups and the Electronic Privacy Information Center.
The case is the sequel of the Schrems I case (C-362/14), which resulted from a complaint Max Schrems filed with the Irish DPA against Facebook for allowing U.S. authorities access to his personal data in violation with EU data protection law. This case was ultimately escalated to the CJEU for a preliminary ruling and resulted in the invalidation of the Safe Harbor Framework (Commission Decision 2000/520/EC), a mechanism that many companies were relying on to legitimize data flows from the EU to the U.S., in October 2015. The CJEU’s decision to invalidate the Safe Harbor Framework was, among other factors, based on the fact that U.S. legislation did not limit interference with an individual’s rights to what is strictly necessary. Instead, it authorized the bulk collection of personal data transferred from the EU to the U.S. and did not set forth any objective criteria for determining limits to the access and use of this personal data by public authorities.
In the aftermath of Schrems I, the Irish DPA requested that Schrems reformulate his complaint since the Safe Harbor Framework had been invalidated. Schrems decided to challenge the transfers performed on the basis of the EU Standard Contractual Clauses (“SCC”), the alternative mechanism Facebook has chosen to rely on to legitimize its EU-U.S. data flows, on the basis of similar arguments to those raised in the Schrems I case. The Irish DPA brought proceedings before the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling, the Schrems II case.
During the hearing, supporters of the SCC argued that the mechanism provides sufficient safeguards, such as the existence of data subject rights, the obligations placed on the exporter and the importer to ensure compliance with EU law and the important role of DPAs in enforcing the SCC, including the power to suspend data flows. Supporters also asked the CJEU to separate the review of SCC and its analysis of third country laws (in particular U.S. law), which they said is irrelevant in this case. Member states underlined the need for national security activities and the need to find an appropriate balance with data protection rights.
Also during the hearing, counsel acting for Schrems requested that the EU-U.S. Privacy Shield be declared invalid, and there were intense debates around the level of data protection provided under the Privacy Shield.
The CJEU’s judgment in the Schrems II case, which is not expected before early 2020, could cause a real earthquake in the EU data protection landscape as it may result in the invalidation of the SCC, the mechanism that is most commonly used in practice to legitimize transfers of personal data from the EU to non-EU countries. There is also a risk that the CJEU’s decision on the broad questions that were referred to it may impact the validity of other transfer mechanisms, such as the EU- U.S. Privacy Shield, potentially leaving companies with limited alternatives to legitimize international data flows that are crucial for their business. For now, these mechanisms remain valid, but organizations should take steps to identify potentially impacted data flows, and consider whether alternative data transfer mechanisms are available. This issue should be kept under close review.