Schrems II: US ‘Privacy Shield’ agreement offers inadequate protection

Eoin Molloy (Content Editor) Ireland

September 14, 2020

On Thursday 16 July, the Court of Justice of the European Union decided to invalidate Decision 2016/1250 on the adequacy of protection afforded to internet users by the EU-US Data Protection Shield. That said, the CJEU did clarify that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is indeed valid.

As many of our subscribers will be aware, the long and storied history of this case begins with the named party, Maximilian Schrems – a prominent privacy campaigner from Austria – and his decision to challenge data transfers between Facebook Ireland and servers belonging to it’s US counterpart. Mr Schrems initially lodged a complaint with the Data Protection Commission here in Ireland, requesting that an end be put to EU-US data transfers, arguing that US data protection laws offered insufficient protection compared to EU laws.

This set in motion a series of hearings which may be briefly summarised as follows. In Decision 2000/520 – also known as the ‘Safe Harbour Decision’, the Commission found that the US did indeed offer adequate protection, therefore dismissing Schrems’ complaint. In a subsequent CJEU decision, whereby the Irish High Court had referred questions relating to the dispute for a preliminary ruling, the original decision was declared invalid.

Mr Schrems was then asked to reformulate his complaint by the DPC, which he did and new proceedings were then issued before the High Court, leading to new requests for preliminary rulings around the validity around Decisions 2010/87 and 2016/1250. As noted at the outset of this case note, the Court of Justice found that the former was valid, and the latter was not.

Regarding what level of protection is to be required in transfers of data to third countries, the CJEU noted that it must be ‘essentially equivalent to that guaranteed within the EU by the GDPR, read in light of the Charter’. This will involve assessing: (i) the actual contractual clauses themselves; (ii) whether or not public bodies have access to the data collected; and (iii) the relevant aspects of the third country’s legal system. Where a supervisory authority believes that data is being transferred in such a way that contravenes these requirements, the CJEU clarified they are required by law to suspend or prohibit such transfers.

This decision is quite a momentous one, and will affect companies engaged in collecting data from the EU but domiciled in a third country. Such companies may well opt to begin holding the data collected within the territory of the EU – something that large multinationals like Facebook and Google had already begun to do. Moreover, another consequence of this decision is that the workload of the Data Protection Commission will increase dramatically.

Note: This is intended to be a fair and accurate report of a decision made public by a court of law. If there are any errors in the text, please notify the editor and they will be dealt with accordingly.