Search

How can we help?

Icon

Breaking News – Standard Contractual Clauses and Privacy Shield – latest developments with Facebook case

Advocate General, Henrik Saugmandsgaard Øe of the Court of Justice of the European Union (CJEU) has just handed down his opinion in response to a referral by the High Court of Ireland for preliminary rulings of law. The High Court case in question related to complaints made by Max Schrems against Facebook Ireland and Facebook Inc concerning the transfer of Mr Schrems’ personal data to the United States (U.S).

The Advocate General’s (AG’s) Opinion will be used in deliberations by the Court and whilst not binding, is persuasive and gives a good indication of what the CJEU may eventually rule.

The referral by the Irish High Court was in response to a request by Irish Data Protection Commissioner (DPC) for the court to provide a ruling so that it may adjudicate Mr Schrems’ complaints.

Mr Schrems had argued that transfers of personal data from Facebook Ireland to its parent company, Facebook Inc in the U.S failed to ensure an adequate level of protection of the data transferred in accordance with the General Data Protection Regulation (GDPR) and its predecessor and requested the Irish DPC to suspend transfers to the U.S entity. This was on the basis that certain U.S surveillance laws and measures used by U.S government authorities, including the National Security Agency allowed the U.S government to intercept and collect content transmitted from Facebook Ireland by methods including access via underwater cables on the floor of the Atlantic Ocean.

Mr Schrems had complained to the Irish Data Protection Commission that by these laws, Facebook Inc would be required to make personal data of its users available to the U.S authorities and would infringe on his rights to privacy. Mr Schrems requested the Irish DPC to suspend such transfers. Mr Schrems had called into question the effectiveness of the legal basis on which Facebook relied to make the transfers, namely standard contractual clauses (SCCs) approved by the European Commission and also the validity of the “privacy shield” adequacy decision. The Privacy Shield is a program approved by the European Commission allowing private U.S organisations to obtain certification designed to afford a level of protection to individuals transferring their personal data to such organisations. A transfer of personal data to an organisation registered with Privacy Shield is currently one method to lawfully transfer personal data to the U.S.

The Advocate General’s (AG’s) Opinion will be used in deliberations by the Court and whilst not binding, is persuasive and gives a good indication of what the CJEU may eventually rule.

In summary, the AG considered that notwithstanding the submissions put forward by the parties and a number of interveners, the validity of the SCCs should remain unaffected. This is because whilst the laws in the place of receipt may be found to be inadequate, the SCC provisions themselves are “compensation” for the lack of such adequacy. However, if the laws of the place of receipt prevents the recipient from complying with the SCCs (such as the surveillance laws in question) then it is up to the exporter of data to either suspend the transfers or terminate the SCCs. If the exporter chooses not to suspend the transfers or terminate the SCCs, it must notify the relevant supervisory authority (in the UK, this is the Information Commissioner’s Office) and that authority then has the power to itself suspend those transfers.

The AG declined to provide a formal opinion on 6 out of the 11 questions concerning the validity of the Privacy Shield protections and counselled the CJEU not to consider these questions in light of the particular facts of the case.

Notwithstanding this, the AG expressed a number of doubts concerning the level of protection afforded by Privacy Shield and these concerns will no doubt be noted by the CJEU.

A decision of the CJEU should be forthcoming in 2020.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

About this article

Read, listen and watch our latest insights

art
  • 15 September 2025
  • Immigration

Sharp rise in Sponsor Licence Revocations – What employers need to know

The Home Office has reported a record number of sponsor licence revocations over the past year, as part of its intensified efforts to crack down on abuse of the UK’s immigration system.

art
  • 10 September 2025
  • Commercial Real Estate

Trouble at the Table: The Challenges Facing the UK Hospitality Sector in the run up to Christmas 2025

The UK hospitality sector, long celebrated for its vibrancy and resilience, is facing a perfect storm of economic, operational, and structural challenges in 2025.

art
  • 09 September 2025
  • Commercial Real Estate

Le bail commercial anglais: quelques points essentiels à considérer

Typiquement, les baux commerciaux en Angleterre sont de court terme, d’une durée de 5 ou 10 ans, avec un loyer de marché et des ajustements du loyer périodiques en fonction de l’inflation ou d’autres facteurs. 

art
  • 09 September 2025
  • Corporate and M&A

The Failure to Prevent Fraud Offence – be prepared to avoid criminal liability

The failure to prevent fraud offence is a new corporate offence which has come into force on 1 September 2025.

art
  • 08 September 2025
  • Employment

Can employers still make changes to contracts after the Employment Rights Bill?

The short answer is yes but it will be much more difficult for employers following the introduction of the Employment Rights Bill because their ability to fairly dismiss employees who do not agree contractual changes is being restricted. 

art
  • 05 September 2025
  • Privacy and Data Protection

When Ignoring a DSAR Becomes a Criminal Offence

On 3 September 2025, Mr Jason Blake appeared at Beverley Magistrates Court and was fined for failing to respond to a data subject access request (DSAR).