1. Background

The Court of Justice of the European Union ("CJEU"), has today delivered the much-anticipated preliminary ruling in the Schrems II case. Essentially, the CJEU:

  • Invalidated the EU-US Privacy Shield; and
  • Ruled against the use of Standard Contractual Clauses by Facebook and similar US companies.

While the facts of the case are long and complex, it's interesting to note that this case originated from a declined complaint by Max Schrems to the Irish DPC, which was rejected by the Irish DPC as baseless.  The complaint was against Facebook Ireland Ltd, in which Mr Schrems argued that his personal data was being transferred to the US company Facebook Inc., not only without his consent but also to a jurisdiction with broad surveillance laws which are in conflict with EU privacy laws.

This case has been ongoing for 7 years. During this time, the Irish DPC who is meant to be one of the guardians of the GDPR and data protection rights of the individuals, was opposing the complaint and to this end took no enforcement measures to protect the rights of Mr Schrems. The journey was very long but today the CJEU aside from telling the Irish DPC how it should have done its job, it endorsed the original complaint as well as the findings of the High court in paragraph 65 which are at the heart of this decision:

As regards judicial protection, the referring court states that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the Fourth Amendment to the Constitution of the United States, which constitutes, in United States law, the most important cause of action available to challenge unlawful surveillance, does not apply to EU citizens. In that regard, the referring court states that there are substantial obstacles in respect of the causes of action open to EU citizens, in particular that of locus standi, which it considers to be excessively difficult to satisfy. Furthermore, according to the findings of the referring court, the NSA's activities based on E.O.12333 are not subject to judicial oversight and are not justiciable. Lastly, the referring court considers that, in so far as, in its view, the Privacy Shield Ombudsperson is not a tribunal within the meaning of Article 47 of the Charter, US law does not afford EU citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in that article.

2. Schrems 2 Ruling Effects

Given that the Privacy Shield has been deemed invalid by the CJEU, it can no longer be relied upon as a method for legitimizing third country data transfers. The Privacy Shield applies only to US companies certified thereunder, not to the US in general, and thus the effects of the Schrems 2 ruling in this regard are more limited. In fact, it can be envisaged that the biggest effect of this ruling will mainly emanate from its repercussions on the application of SCCs.

As such, SCCs can now no longer be used with US companies. Crucially however, the ruling also has a bigger indirect effect on all third country data transfers wherein SCCs are being relied upon for legitimacy purposes as effectively, companies will need to review the law in the respective recipient third country for SCCs to be able to be used to determine whether there is any conflict with EU privacy laws - a pretty difficult and inconvenient legal exercise.

Despite the abovementioned invalidations made by the Ruling and the lack of an adequacy decision pursuant to Article 45(3),"necessary" data flows can still continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract, public interest as well as in legal claims.

This ruling will undoubtedly also have massive implications for all American companies as well as for any third country, including UK planning to have adequacy with the EU under the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.