Six years after he launched his privacy battle against Facebook, Max Schrems returned to The Court of Justice of the European Union (CJEU) Europe’s for a second time.
On this occasion CJEU is hearing a case concerning the validity of two key data transfer mechanisms: Standard Contractual Clauses (SCCs) and Privacy Shield – mechanisms widely used by businesses within the European Economic Area (EEA) to legitimise the transfer of personal data to countries outside the EEA.
The case was initiated by a complaint in 2013 by Schrems, an Austrian activist, with the Irish Data Protection Commission. This Commission then referred the question to the national courts as to the validity of the ‘standard contractual clauses’ (SCCs) allowing companies to move data from Europe to elsewhere, including the US. In 2014 the Irish High Court made a preliminary reference to Court of Justice of the European Union (CJEU), to primarily determine whether these contractual clauses violate the union’s fundamental right to privacy.
In 2015, the CJEU ruled that data protection authorities could investigate complaints about the violation of Europeans’ privacy rights and that the said Safe Harbour wasn’t protecting those rights, because of American mass surveillance laws. The CJEU struck down Safe Harbour, with immediate effect. Companies like Facebook started resorting to SCC and Max Schrems’s landmark 2015 victory didn’t end his case. It went back to the Irish data protection authority, which this time agreed to investigate it. But instead of cracking down on Facebook, it requested that the case be back to the CJEU.
The CJEU will now need to establish whether standard contractual clauses—the legal tool that Facebook and many other companies now use, given the mass surveillance prevalent in USA, are also valid. In evaluating the clauses, the CJEU will size up the Privacy Shield too.
The Irish High Court has already ruled that the U.S. government conducts mass surveillance on personal data held on U.S. servers. So, as far as the CJEU is concerned, that’s no longer up for debate—and the CJEU has previously said that such “mass processing” violates EU fundamental rights. To this end there is a very high probability that the CJEU will just build on the latter judgement and issue a ruling which could have devasting effects on the free movement of data to the US and thus on trade.
Should just the SCCs or also the Privacy Shield be annulled by the CJEU, several companies basing their trading policies on either of the two mechanisms could be heavily impacted. If the CJEU were to render both the SCCs and Privacy Shield invalid, companies might temporarily have to resort to Binding Corporate Rules; adopted internally by multi-national companies (but which will not offer an adequate replacement to the current two mechanisms), and resort to the GDPR provisions in Article 49. This Article provides for a scenario where there is an ‘absence of an adequacy decision pursuant to Article 45(3) or of appropriate safeguards pursuant to Article 46, including binding corporate rules’.
If the CJEU proceeds by annulling these mechanisms, not only would global companies be affected, but the consequences would result in another setback to the EU Commission’s negotiations regarding the sensitivities of the transatlantic transferring of personal data. Furthermore, whereas the impact of Schrems 1.0 only affected EU data transfers to the US, Schrems 2.0 could have implications regarding EU data transfers with the whole world. This is because the SCCs are relied upon world-wide, unlike the Safe Harbour which was solely an agreement between the EU and US.
On the 12th December 2019, Advocate General Henrik Saugmandsgaard Øe will give his non-binding opinion, and the full decision of the case is to be expected by early 2020.