Schrems II heard in Europe: potential huge impact on global data transfers

  • The Court of Justice of the European Union (“CJEU“) has heard oral submissions in the latest case questioning the legal validity of international data transfer mechanisms under the GDPR, such as Standard Contractual Clauses and the EU-US Privacy Shield;
  • The Irish Data Protection Commissioner (“DPC“) is seeking a ruling that would find the so-called Standard Contractual Clauses, which are used to legitimise the transfer of personal data from Europe all around the world, as invalid because they do not provide adequate protection for individuals’ data;
  • The CJEU heard yesterday from the DPC, Facebook, the Electronic Privacy Information Center, DigitalEurope, the Business Software Alliance, the European Commission, the European Data Protection Board, the US government, several EU Member States and representatives of the original complainant Mr Schrems;
  • The Advocate General will give his non-binding opinion on the case on 12 December this year, with a full decision expected from the CJEU by early 2020;
  • If the Standard Contractual Clauses are declared invalid, this will have a huge impact on global trade, effectively putting the brakes on the international transfer of data.

Continue reading

Clarification on the status of the EU-US Privacy Shield on a no deal Brexit

The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.

Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed. Continue reading

EU – US Privacy Shield adequacy decision incorporated into the EEA Agreement

On 12 July 2016 the European Commission adopted an “adequacy decision” allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the “Privacy Shield”). This new framework was established following the previous transfer mechanism, the US Safe Harbour, being found invalid by the ECJ in October 2015. Continue reading

EU-US Privacy Shield first annual review announced following a challenging introduction

On 12 July 2016, the European Commission adopted an “adequacy decision” allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the “Privacy Shield“).

Two privacy advocacy groups have however since filed actions in the European General Court to annul the adequacy decision. On 28 October 2016 the Irish privacy advocacy group, Digital Rights Ireland, filed an “action for annulment” on the basis that the Privacy Shield does not sufficiently protect the privacy rights of EU citizens. If successful, the action would invalidate the European Commission’s adequacy decision that approved and adopted the Privacy Shield. The group filed the challenge in the General Court based in Luxembourg, the second highest EU Court after the CJEU. A further challenge was also filed in the General Court by a French civil society group at the end of October 2016. It could take the General Court twelve months or more before a decision is handed down.

Continue reading