Search

How can we help?

Icon

Breaking News – Standard Contractual Clauses and Privacy Shield – latest developments with Facebook case

Advocate General, Henrik Saugmandsgaard Øe of the Court of Justice of the European Union (CJEU) has just handed down his opinion in response to a referral by the High Court of Ireland for preliminary rulings of law. The High Court case in question related to complaints made by Max Schrems against Facebook Ireland and Facebook Inc concerning the transfer of Mr Schrems’ personal data to the United States (U.S).

The Advocate General’s (AG’s) Opinion will be used in deliberations by the Court and whilst not binding, is persuasive and gives a good indication of what the CJEU may eventually rule.

The referral by the Irish High Court was in response to a request by Irish Data Protection Commissioner (DPC) for the court to provide a ruling so that it may adjudicate Mr Schrems’ complaints.

Mr Schrems had argued that transfers of personal data from Facebook Ireland to its parent company, Facebook Inc in the U.S failed to ensure an adequate level of protection of the data transferred in accordance with the General Data Protection Regulation (GDPR) and its predecessor and requested the Irish DPC to suspend transfers to the U.S entity. This was on the basis that certain U.S surveillance laws and measures used by U.S government authorities, including the National Security Agency allowed the U.S government to intercept and collect content transmitted from Facebook Ireland by methods including access via underwater cables on the floor of the Atlantic Ocean.

Mr Schrems had complained to the Irish Data Protection Commission that by these laws, Facebook Inc would be required to make personal data of its users available to the U.S authorities and would infringe on his rights to privacy. Mr Schrems requested the Irish DPC to suspend such transfers. Mr Schrems had called into question the effectiveness of the legal basis on which Facebook relied to make the transfers, namely standard contractual clauses (SCCs) approved by the European Commission and also the validity of the “privacy shield” adequacy decision. The Privacy Shield is a program approved by the European Commission allowing private U.S organisations to obtain certification designed to afford a level of protection to individuals transferring their personal data to such organisations. A transfer of personal data to an organisation registered with Privacy Shield is currently one method to lawfully transfer personal data to the U.S.

The Advocate General’s (AG’s) Opinion will be used in deliberations by the Court and whilst not binding, is persuasive and gives a good indication of what the CJEU may eventually rule.

In summary, the AG considered that notwithstanding the submissions put forward by the parties and a number of interveners, the validity of the SCCs should remain unaffected. This is because whilst the laws in the place of receipt may be found to be inadequate, the SCC provisions themselves are “compensation” for the lack of such adequacy. However, if the laws of the place of receipt prevents the recipient from complying with the SCCs (such as the surveillance laws in question) then it is up to the exporter of data to either suspend the transfers or terminate the SCCs. If the exporter chooses not to suspend the transfers or terminate the SCCs, it must notify the relevant supervisory authority (in the UK, this is the Information Commissioner’s Office) and that authority then has the power to itself suspend those transfers.

The AG declined to provide a formal opinion on 6 out of the 11 questions concerning the validity of the Privacy Shield protections and counselled the CJEU not to consider these questions in light of the particular facts of the case.

Notwithstanding this, the AG expressed a number of doubts concerning the level of protection afforded by Privacy Shield and these concerns will no doubt be noted by the CJEU.

A decision of the CJEU should be forthcoming in 2020.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 22 February 2024
  • Employment

Time to take the heat off menopausal women

On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.

Pub
  • 22 February 2024
  • Employment

Talking Employment Law: What to do if you’re at risk of redundancy

In this podcast, Harry Berryman and Rebecca Dowle, members of the employment team, will talk through the steps that need to be taken for a redundancy to be fair and the range of criteria that can be used when determining which employees will be made redundant.

art
  • 21 February 2024
  • Immigration

FAQs Partner Visa UK

Discover the UK Spouse Visa: eligibility, finances, relationship criteria, and the latest updates in 2024 for a successful application.

art
  • 19 February 2024
  • Privacy and Data Protection

The role of Data Protection Officers in ensuring compliance

How many of us receive marketing calls for products and services we did not sign up for?

art
  • 12 February 2024
  • Employment

The World of Work in 2024- What Can HR Expect?

In many senses, 2024 is unlikely to be a year with radical ruptures from those that have gone before it. The significance of 2024 though, is that it is likely to build upon those megatrends impacting the world of work, which have been emerging for some time now and are only likely to strengthen as we move on in time.

art
  • 09 February 2024
  • Privacy and Data Protection

Are we suffering from cookie fatigue?

An over-indulgence in Easter treats might not be the only cookie fatigue that individuals will suffer this year according to the Information Commissioners Office (ICO).