On Tuesday 9 July 2019, the Court of Justice of the European Union (“CJEU”) heard the oral pleadings in C-311/18 or colloquially known as the Schrems 2.0[1] case.
The case found its way to the EU highest court through a complaint raised by Max Schrems, a known privacy advocate, with the Irish Data Protection Commissioner (the competent data protection authority for the Republic of Ireland) relating to a transfer of personal data by Facebook Ireland to Facebook in the US. Eventually the case ended up before the Irish High Court which in turn asked several prejudicial questions to the CJEU. The questions relate to, among others, the possible use of standard contractual clauses (“SCC”) as a valid international data transfer mechanism and the validity of the US-EU Privacy Shield as a framework to lawfully transfer personal data from the European Economic Area (“EEA”) to a Privacy Shield self-certified recipient in the United States where such country can further process the transferred data “for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country”.
This case is paramount for the continued validity of the EU-US Privacy Shield but also of the SCC’s overall as a framework for data transfers, irrespective of the recipient country or organisation. Should the ECJ invalidate SCCs and/or the EU-US Privacy Shield, companies subject to the GDPR and involved in international data transfers outside of the EEA, may need to revise their third country data transfer mechanism to be able to lawfully continue the exchange of personal data with the US as well as countries or organisations outside the European Economic Area for which the European Commission has not issued an Adequacy Decision.
As a next step in the ECJ proceedings, the Advocate-General plans to deliver its non-binding yet authoritative Opinion on the case on 12 December 2019, which will be followed by a judgement from the CJEU expected in the first half of 2020.
PwC Legal of course follows up closely on these developments and can of happily assist you review and prepare for the possible impact on your international data transfers in light of these developments.
[1] The first Schrems case took place in 2015 when the CJEU found that the “Safe Harbour” mechanism, used to legitimize international data transfers between the EEA and the United States, was invalid. Judgement can be consulted here. You can also consult our blog summarising the first Schrems case here.
