Editor’s Note: The Court of Justice of the European Union (CJEU) today issued a press release highlighting the judgment issued in the Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Provided below is an extract and full copy of today’s press release and a statement extract on the judgment from the Data Protection Commission (DPC) of Ireland.
Press Announcement from the Court of Justice of the European Union
The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield
However, it considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.
The General Data Protection Regulation (‘the GDPR’) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies. Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.
Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As in the case of other users residing in the European Union, some or all of Mr. Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. Mr. Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/520 (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘the Schrems I judgment’).
Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr. Schrems’s complaint, the Irish supervisory authority asked Mr. Schrems to reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was invalid. In his reformulated complaint, Mr. Schrems claims that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses set out in the Annex to Decision 2010/87. Taking the view that the outcome of Mr. Schrems’s complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (‘the Privacy Shield Decision’).
By its request for a preliminary ruling, the referring court asks the Court of Justice whether the GDPR applies to transfers of personal data pursuant to the standard data protection clauses in Decision 2010/87, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court also raises the question of the validity both of Decision 2010/87 and of Decision 2016/1250.
In today’s judgment, the Court of Justice finds that examination of Decision 2010/87 in the light of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision. However, the Court declares Decision 2016/1250 invalid.
Court of Justice of the European Union Press Release No 91:20
Press Announcement from the Data Protection Commission (Ireland)
DPC Statement on CJEU Decision
The Data Protection Commission (DPC) strongly welcomes today’s judgment from the Court of Justice of the European Union (CJEU).
The DPC commenced these proceedings in 2016 precisely because it was concerned that, properly understood, the CJEU’s Safe Harbour judgment of 2015 was to be read as indicating that, for reasons associated with the structure of the legal system in operation in the United States, EU-US data transfers were inherently problematic. Moreover, this was so, whatever the legal mechanism by which such transfers were conducted.
While constrained, in some respects, by facts particular to Mr. Schrems’ complaint against Facebook, to include Facebook’s reliance on the Standard Contractual Clauses (SCCs) transfer mechanism, the DPC brought these proceedings – and resisted objections from both Facebook and Mr. Schrems – specifically in order to secure a decisive statement of position from the CJEU in relation to the key issues of principle at stake when an EU citizen’s personal data is transferred to the United States.
Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr. Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally.
- A Pillar of Empowerment? Evaluating and Reviewing GDPR Data Protection
- A Matter of Opinion? An EDPS View on the European Data Strategy