On July 9, 2019, the European Court of Justice ("ECJ") heard oral argument in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems ("Schrems II").
The primary question before the ECJ is whether the European Commission's standard contractual clauses ("SCCs") are valid for transfers of personal data to the United States.1 Given the widespread reliance on the SCCs for data transfers to the United States and other countries around the world, the ECJ's judgment is likely to have significant ramifications for many organizations.
Covington represents BSA I The Software Alliance2 in Schrems II and in a separate challenge to the EU-U.S. Privacy Shield now pending before the EU General Court, Case T-738/16, La Quadrature du Net and Others v Commission ("LQDN").
The case arises from a complaint filed by privacy activist Maximilian Schrems with the Irish Data Protection Commissioner ("DPC") in December 2015. In his complaint, Mr Schrems challenged Facebook Ireland Ltd's transfer of his personal data to Facebook Inc. in the United States under the 2010 controller-to-processor SCCs, set out in Commission Decision 2010/87/EU (the "SCC Decision"). Among other arguments, Mr Schrems pointed to what he described as the situation of "mass surveillance" in the United States, and asserted that EU data subjects do not have adequate judicial remedies under U.S. law where their data is targeted by U.S. authorities. Mr.Schrems asked the DPC to exercise its powers under Article 4(1) of the SCC Decision to block Facebook Ireland's transfer of his personal data to the United States.
After reviewing both the SCC Decision and certain elements of the U.S. national security regime, the DPC issued a Draft Decision. The DPC broadly agreed that U.S. law was deficient, and that the SCCs did not remedy these deficiencies. Conscious that she lacked authority to strike down the SCC Decision, however, the DPC instead asked the Irish High Court to refer the matter to the ECJ for a ruling on the SCC Decision's validity.3
The Irish High Court reviewed the matter and, following oral argument, agreed that it merited a reference to the ECJ. On April 12, 2018, the Irish High Court asked 11 specific questions (available here) of the ECJ.
The parties in the Irish High Court proceedings included the DPC, Facebook Ireland, and Mr. Schrems, as well as BSA I The Software Alliance, the Electronic Privacy Information Center ("EPIC"), Digital Europe, and the U.S. Government. These parties joined the case on referral to the ECJ; in addition, the European Parliament, the European Commission, and several Member States (Austria, Belgium, the Czech Republic, France, Germany, Ireland, the Netherlands, Poland, Portugal and the UK)4 also intervened before the ECJ. The ECJ also asked the European Data Protection ("EDPB") to appear at the oral hearing.
Following written pleadings, the ECJ set the case for oral argument before the Grand Chamber, signifying its importance.5 The day-long hearing began with statements from the parties and interveners. The judge-rapporteur (Thomas von Danwitz)6 and Advocate General ("AG") (Henrik Saugmandsgaard e) followed with a number of questions, targeted primarily at the European Commission and EDPB.