Is there a new chapter for the EU and its data transfer rules on the horizon?


Your contact

Max Schrems, an Austrian privacy activist, has brought yet another data protection case to the Court of Justice of the European Union (CJEU). The outcome of this case will be decisive for everyone who transfers data to non-EU countries. The decision in the case has the potential to force a wide range of businesses to make huge changes in their data management.

The current case, which is commonly referred to as Schrems II, is the sequel case to the Schrems I case, which resulted in the invalidation of the Safe Harbour Framework for the data transfer between the European Union (EU) and the USA. Schrems II may cause the CJEU to consider the validity of both the European Commission Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield.

The Advocate General’s opinion, issued today, has been keenly awaited as a first indication of the direction the CJEU decision may take. The SCCs are likely to remain as a valid safeguard for international data transfers. The Privacy Shield mechanism however faces a very uncertain future.

1. What has happened so far?

Max Schrems is a privacy activist who is concerned about the cooperation between US companies and US intelligence agencies, particularly about Facebook sharing personal data of EU residents with the US National Security Agency. The fundamental argument before the CJEU has been the alleged power of the US to carry out mass surveillance of EU residents’ personal data without justification. These concerns led to the Schrems I case and the invalidation of the Safe Harbour Framework in 2015. This framework was a mechanism that legitimised data flows from the EU to the US.

The decision was based, in particular, on the fact that the US legislation did not limit interference with an individual’s rights to what is strictly necessary, but allowed the bulk collection of personal data transferred to the US. The legislation did not contain any objective criteria for determining limits to such access and the subsequent use of this personal data by public authorities. After the invalidation of the Safe Harbour Framework, the Irish Data Protection Authority requested Max Schrems to amend his complaint leading him and his team to challenge the EU Standard Contractual Clauses, which is an alternative mechanism to legitimise data flows to non-EU countries.

Max Schrems used a similar argumentation for his second challenge as in the Schrems I case. The Irish Data Protection Authority then brought the case to the Irish High Court, which in turn referred 11 questions to the CJEU for a preliminary ruling. This preliminary ruling is now referred to as the Schrems II case.

2. What happened during the CJEU hearing of 9 July 2019?

The hearing in the Schrems II case took place at the CJEU in Luxembourg, where the main parties presented their arguments. The main parties in the proceeding are the Irish Data Protection Commissioner, Facebook Ireland Ltd. and Max Schrems. Moreover, many stakeholders such as the European Data Protection Board and several Member States have intervened in the proceedings.

During the hearing of 9 July 2019, the SCCs were widely discussed and it was stated by many parties – including Max Schrems’ legal team – that the SCCs should not be invalidated but that the SCCs should be (better) enforced. It was argued that without enforcement, the SCCs were not suited to provide adequate safeguards.

They also discussed the EU-US Privacy Shield, where there seemed to be a stronger tendency among the parties to push for invalidation of the mechanism.

3. What is the Advocate Generals opinion?

Until the judgement is rendered, the Advocate General’s opinion may serve as an indication on whether or not the EU-US Privacy Shield and/ or the SCCs will be declared invalid.

In the opinion of the Advocate General of 19 December 2019 the SCCs are valid. The analysis of the questions submitted to the CJEU has disclosed nothing which may affect the validity of the SCCs. He further explained that the CJEU is not required to rule on the validity of the Privacy Shield mechanism, since this is not part of the dispute at hand. Nevertheless, the Advocate General set out the reasons that lead him to question the validity of the Privacy Shield and the mechanism contained therein.

4. What will happen next? And what does this mean for my business?

The CJEU will have to render a judgement at the beginning of 2020, which may disrupt the status quo on how to deal with data transfers. The CJEU also has a case before it specifically concerning the Privacy Shield.

For now, the existing mechanisms for data transfers remain valid and the Advocate General recommends that this stays the same for the SCCs. Nevertheless, the Attorney General’s opinion indicates that the lawfulness of the Privacy Shield mechanism may be rejected in the near future, which will likely lead to a heavier reliance on the SCCs.

In the case that the CJEU invalidates the SCCs and the Privacy Shield framework, businesses would have to rely on alternative mechanisms for their data transfers to third countries.

The EU General Data Protection Regulation (GDPR) provides for three alternative safeguards, namely:

  • An adequacy decision by the EU stating that a country has an adequate level of data protection. Switzerland, for example, currently benefits from an adequacy decision;
  • Binding Corporate Rules; and
  • A narrow list of derogations where data transfers are permitted to countries where there is no adequacy decision in place (for example, in order to protect life and health).

Currently, there is no readily available alternative to the SCCs and the EU-US Privacy Shield. For your business, this means that you will have to take immediate action following a decision that these mechanisms are invalid.

We recommend that you check that you have:

  • analysed your data flows;
  • considered alternatives to the SCCs and/ or the EU-US Privacy Shield;
  • been in touch with your service providers to ask what contingency plans they have in place; and
  • briefed your management and other key stakeholders about the situation.

Nevertheless, keep in mind that for now nothing has been decided and that we will only know for sure once the CJEU renders its judgement.

We will closely follow the case to keep you updated on the newest developments. If you have any questions, our data protection team is happy to assist.


Share post



most read


Highlights

MLL Legal

MLL Legal is one of the leading law firms in Switzerland with offices in Zurich, Geneva, Zug, Lausanne, London and Madrid. We advise our clients in all areas of business law and stand out in particular for our first-class industry expertise in technical-innovative specialist areas, but also in regulated industries.

MLL Meyerlustenberger Lachenal Froriep

Newsletter

Much is still unclear in relation to liability questions around AI tools.

Read our latest post about “Liability during the Lifecycle of an AI Tool” and download our white paper.

Show article.

Our Story

MLL Legal is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of strategic mergers, the latest of which took place on 1st July 2021 between Meyerlustenberger Lachenal and FRORIEP.

The merger establishes MLL Legal, a combined new entity as one of the largest commercial law firms in Switzerland with 150 lawyers in four offices in Switzerland and two offices abroad, in London and Madrid serving clients seeking Swiss law advice.

Our firm has a strong international profile and brings together recognised leadership and expertise in all areas of law affecting commerce today, with a focus on high-tech, innovative and regulated sectors. 

About us

Publications

Click here for our latest publications

COVID-19

Read all our legal updates on the impact of COVID-19 for businesses.

COVID-19 Information

Job openings

Looking for a new challenge?

Our talented and ambitious teams are motivated by a common vision to succeed. We value open and straightforward communication accross all levels of the organisation in a supportive working environment.

Job openings

Firm News

Click here for our latest firm news.

Our Team

The regulatory and technological landscape continually require businesses to adapt and evolve.
Our 150+ lawyers are continuously innovating and striving for improvement in everything they do. We embrace new ideas and technologies, combining our wealth of expertise with creative thinking and diligence. With our hands-on approach, we implement viable solutions for the most complex legal challenges.

Our Team.

LexCast – the podcast series by MLL NexGen

Smart legal education on the go. The LexCast hosted by MLL NexGen provides legal insights in a short format that allows listeners to educate themselves on and about legal issues wherever they are and whenever they find the time.

Listen to our podcast series – stay tuned.

MLL Legal on Social Media

Follow us on LinkedIn, Twitter und Instagram.