Search

How can we help?

Icon

Breaking News – Standard Contractual Clauses and Privacy Shield – latest developments with Facebook case

Advocate General, Henrik Saugmandsgaard Øe of the Court of Justice of the European Union (CJEU) has just handed down his opinion in response to a referral by the High Court of Ireland for preliminary rulings of law. The High Court case in question related to complaints made by Max Schrems against Facebook Ireland and Facebook Inc concerning the transfer of Mr Schrems’ personal data to the United States (U.S).

The Advocate General’s (AG’s) Opinion will be used in deliberations by the Court and whilst not binding, is persuasive and gives a good indication of what the CJEU may eventually rule.

The referral by the Irish High Court was in response to a request by Irish Data Protection Commissioner (DPC) for the court to provide a ruling so that it may adjudicate Mr Schrems’ complaints.

Mr Schrems had argued that transfers of personal data from Facebook Ireland to its parent company, Facebook Inc in the U.S failed to ensure an adequate level of protection of the data transferred in accordance with the General Data Protection Regulation (GDPR) and its predecessor and requested the Irish DPC to suspend transfers to the U.S entity. This was on the basis that certain U.S surveillance laws and measures used by U.S government authorities, including the National Security Agency allowed the U.S government to intercept and collect content transmitted from Facebook Ireland by methods including access via underwater cables on the floor of the Atlantic Ocean.

Mr Schrems had complained to the Irish Data Protection Commission that by these laws, Facebook Inc would be required to make personal data of its users available to the U.S authorities and would infringe on his rights to privacy. Mr Schrems requested the Irish DPC to suspend such transfers. Mr Schrems had called into question the effectiveness of the legal basis on which Facebook relied to make the transfers, namely standard contractual clauses (SCCs) approved by the European Commission and also the validity of the “privacy shield” adequacy decision. The Privacy Shield is a program approved by the European Commission allowing private U.S organisations to obtain certification designed to afford a level of protection to individuals transferring their personal data to such organisations. A transfer of personal data to an organisation registered with Privacy Shield is currently one method to lawfully transfer personal data to the U.S.

The Advocate General’s (AG’s) Opinion will be used in deliberations by the Court and whilst not binding, is persuasive and gives a good indication of what the CJEU may eventually rule.

In summary, the AG considered that notwithstanding the submissions put forward by the parties and a number of interveners, the validity of the SCCs should remain unaffected. This is because whilst the laws in the place of receipt may be found to be inadequate, the SCC provisions themselves are “compensation” for the lack of such adequacy. However, if the laws of the place of receipt prevents the recipient from complying with the SCCs (such as the surveillance laws in question) then it is up to the exporter of data to either suspend the transfers or terminate the SCCs. If the exporter chooses not to suspend the transfers or terminate the SCCs, it must notify the relevant supervisory authority (in the UK, this is the Information Commissioner’s Office) and that authority then has the power to itself suspend those transfers.

The AG declined to provide a formal opinion on 6 out of the 11 questions concerning the validity of the Privacy Shield protections and counselled the CJEU not to consider these questions in light of the particular facts of the case.

Notwithstanding this, the AG expressed a number of doubts concerning the level of protection afforded by Privacy Shield and these concerns will no doubt be noted by the CJEU.

A decision of the CJEU should be forthcoming in 2020.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 16 May 2024
  • Immigration

What Employers need to know about Biometric Residence Permits

Biometric Residence Permits (BRPs) are biometric immigration documents that are issued to non-EEA nationals and EEA nationals, who have been granted permission to stay in the UK.

art
  • 14 May 2024

Clarkslegal’s London team moves to new Chancery Lane office

The London office of Clarkslegal has relocated to Chancery House, on Chancery Lane. The staff is enthusiastic about the relocation because Chancery Lane has a longstanding association with the legal profession in London.

art
  • 10 May 2024
  • Employment

New duty on employers to prevent sexual harassment – coming October 2024

The Worker Protection (Amendment of Equality Act 2010) Act 2023 is due to come into force in October 2024.

art
  • 09 May 2024
  • Employment

Labour Party Employment Law Proposals – Promises of further consultations and a softer approach

The Prime Minister recently announced a raft of changes, to be implemented in the next parliament, aimed at reducing the number of people who are economically inactive due to illness.

art
  • 09 May 2024
  • Corporate and M&A

Navigating corporate transparency: ECCTA reforms series – part 1

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) received Royal Assent in October 2023 and marked a pivotal moment in corporate governance and transparency.

art
  • 07 May 2024
  • Employment

Changes to TUPE rules from 1 July 2024

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (‘TUPE’) aim to safeguard employees’ rights on the transfer of a business or on the change of a service.