CJEU Invalidates Decision on the Adequacy of Protection Under EU-US Data Protection Shield

According to the Court of Justice of the European Union press announcement, in the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Editor’s Note: The Court of Justice of the European Union (CJEU) today issued a press release highlighting the judgment issued in the Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Provided below is an extract and full copy of today’s press release and a statement extract on the judgment from the Data Protection Commission (DPC) of Ireland.

Press Announcement from the Court of Justice of the European Union

The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield

However, it considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.

Announcement Extract

The General Data Protection Regulation (‘the GDPR’) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies. Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.

Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As in the case of other users residing in the European Union, some or all of Mr. Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. Mr. Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/520 (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘the Schrems I judgment’).

Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr. Schrems’s complaint, the Irish supervisory authority asked Mr. Schrems to reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was invalid. In his reformulated complaint, Mr. Schrems claims that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses set out in the Annex to Decision 2010/87. Taking the view that the outcome of Mr. Schrems’s complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (‘the Privacy Shield Decision’).

By its request for a preliminary ruling, the referring court asks the Court of Justice whether the GDPR applies to transfers of personal data pursuant to the standard data protection clauses in Decision 2010/87, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court also raises the question of the validity both of Decision 2010/87 and of Decision 2016/1250.

In today’s judgment, the Court of Justice finds that examination of Decision 2010/87 in the light of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision. However, the Court declares Decision 2016/1250 invalid.

Review the Complete Press Release (PDF)

Court of Justice of the European Union Press Release No 91:20

 Read the complete announcement at CJEU Press Release No 91/20

Press Announcement from the Data Protection Commission (Ireland)

DPC Statement on CJEU Decision

Announcement Extract

The Data Protection Commission (DPC) strongly welcomes today’s judgment from the Court of Justice of the European Union (CJEU).

The DPC commenced these proceedings in 2016 precisely because it was concerned that, properly understood, the CJEU’s Safe Harbour judgment of 2015 was to be read as indicating that, for reasons associated with the structure of the legal system in operation in the United States, EU-US data transfers were inherently problematic. Moreover, this was so, whatever the legal mechanism by which such transfers were conducted.

While constrained, in some respects, by facts particular to Mr. Schrems’ complaint against Facebook, to include Facebook’s reliance on the Standard Contractual Clauses (SCCs) transfer mechanism, the DPC brought these proceedings – and resisted objections from both Facebook and Mr. Schrems – specifically in order to secure a decisive statement of position from the CJEU in relation to the key issues of principle at stake when an EU citizen’s personal data is transferred to the United States.

Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr. Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally.

Read the complete statement at DPC Statement on CJEU Decision

Additional Reading

Source: ComplexDiscovery


Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

The results of the recent Summer 2020 eDiscovery Business Confidence Survey present the unfortunate and continuing impact of COVID-19 on the business of eDiscovery. However, for these pandemic-driven results to be fully understood, they should be viewed through the contextual lens of the results of all nineteen surveys that have been administered to eDiscovery professionals since the inception of the eDiscovery Business Confidence Survey in early 2016.

Check Out the Observations Now!

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.

Mitratech Acquires Tracker Corp

The acquisition supports Mitratech’s mission to provide legal and compliance solutions...

A Window into Malware? The New Malware Reverse Engineering Handbook from CCDCOE

According to Wikipedia, malware analysis is the study or process of...

Much Ado About Something? The Hype Cycle for Legal and Compliance Technologies (2020)

The information and insight highlighted by Marko Sillanpaa of Gartner in...

You Want Answers? EDPB FAQ on CJEU Schrems II Decision

Following the recent judgment of the Court of Justice of the...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

The Race to the Starting Line? Recent Secure Remote Review Announcements

Not all secure remote review offerings are equal as the apparent...

Enabling Remote eDiscovery? A Snapshot of DaaS

Desktop as a Service (DaaS) providers are becoming important contributors to...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Revisions and Decisions? New Considerations for eDiscovery Secure Remote Reviews

One of the key revision and decision areas that business, legal,...

A Macro Look at Past and Projected eDiscovery Market Size from 2012 to 2024

From a macro look at past estimations of eDiscovery market size...

An eDiscovery Market Size Mashup: 2019-2024 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

Based on the aggregate results of nineteen past eDiscovery Business Confidence...

A Growing Concern? Budgetary Constraints and the Business of eDiscovery

In the summer of 2020, 56% of respondents viewed budgetary constraints...

A Change in Tempo? eDiscovery Operational Metrics in the Summer of 2020

In the summer of 2020, 91 eDiscovery Business Confidence Survey participants...

Shifting Gears? eDiscovery Business Confidence Survey Results – Summer 2020

This is the nineteenth quarterly eDiscovery Business Confidence Survey conducted by...

Mitratech Acquires Tracker Corp

The acquisition supports Mitratech’s mission to provide legal and compliance solutions...

XDD Acquires LightSpeed Legal

According to David Moran, XDD President, and COO, “As we continue...

XDD Acquires RVM

According to XDD CEO Bob Polus, “Merging forces with RVM further...

Ipro Acquires NetGovern

According to Dean Brown, CEO at Ipro Tech, “We are thrilled...

Five Great Reads on eDiscovery for July 2020

From business confidence and operational metrics to data protection and privacy...

Five Great Reads on eDiscovery for June 2020

From collection market size updates to cloud outsourcing guidelines, the June...

Five Great Reads on eDiscovery for May 2020

From review market sizing revisions to pandemeconomic pricing, the May 2020...

Five Great Reads on eDiscovery for April 2020

From business confidence to the boom of Zoom, the April 2020...