The Court of Justice of the European Union Invalidates Privacy Shield Framework in the Schrems II Case

Must Read

Madras High Court Observes Unexplained Delay in Procedural Safeguards, Quashes Detention Through Writ Petition

A Writ Petition was filed under Article 226 to issue a writ of Habeas Corpus. The petitioner P. Lakshmi,...

UK Court of Appeal Rules Home Department’s Deportation Policy of Immigrants Unlawful

Britain’s Court of Appeal quashed the Home Department’s deportation policy, declaring it unlawful; criticizing it for being too stringent...

Inordinate and Unexplained Delay in Considering Representation by Government Renders Detention Order Illegal: Madras High Court

A Petition under Article 226 of the Constitution was filed in the Madras High Court to declare the detention...

Privy Council Clarifies Approach To Winding up in “Deadlock” Cases in the Case of Chu v. Lau

The Judicial Committee of the Privy Council clarified several aspects of the law concerning just and equitable winding-up petitions,...

Madras High Court Directs Hospital To Submit Necessary Medical Reports to Authorization Committee for Approval of Kidney Transplant

A Writ Petition was filed under Article 226 to issue a Writ of Mandamus to K.G. Hospital, Coimbatore by...

Punjab Woman Evokes Petition for Protection Fearing Honour Killing

In the case of Divya Mattu and another vs State of Punjab and others, the petitioner, Divya, fearing honour...
Moshiuzzaman
Moshiuzzaman holds a 2:1 LL.B degree from BPP University (UK). He is currently pursuing the CFA chartership and working as an independent legal researcher at the American Society of International Law (ASIL)

Follow us

The Court of Justice of the European Union (EJEU) declared its landmark judgment in the Schrems II case. In its judgment the Court concluded that the Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to data processors established outside the European Union (EU) were valid; however, unexpectedly, the court held the EU-U.S. Privacy Shield was invalid. 

Background

The case in question concerned Maxmillian Schrems, an Austrian privacy advocate, who had filed a complaint to the Irish Data Protection Commissioner in 2015, contesting Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the United States. Facebook had been relying on SCCs after the CJEU invalidated that U.S.EU Safe Harbor Framework in 2015, following a challenge by the same privacy advocate (Schrems I case).

In this case, Schrems argued that the SCCs did not ensure an adequate level of protection for EU data subjects, as the United States’ legislation did not explicitly limit interference with an individual’s right to protection of personal data in the same manner as the EU data protection legislation, namely, the General Data Protection Regulation (GDPR).

A key concern in the dispute was whether EU personal data might be at risk of being accessed and processed by the United States government once transferred, in a manner which is incompatible with privacy rights guaranteed by the Charter of Fundamental Rights and where there was any remedy available to EU individual to ensure the protection of their personal data after transfer to the United States. In pursuit of the complaint, the Irish Data Protection Commissioner brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling under Art 267 of the Treaty of Function on the Functioning of the European Union (TFEU). The preliminary questions concerned the validity of the SCCs but also concerned the EU-U.S. Privacy Shield framework.

The CJEU’s Ruling

Regarding SCCs, the CJEU primarily followed the non-binding opinion of the CJEU’s Advocate General Saugmandsgaard Øe. The CJEU held that SCCs provided sufficient protection for EU personal data. However, the Court held that EU organizations which relied on SCCs must take a proactive role in evaluating, before any transfer, whether there was, in fact, an “adequate level of protection” for personal data in the importing jurisdiction. Moreover, organizations may implement additional safeguards, over and above contained in the SCCs, to ensure “an adequate level of protection” for the personal data transferred. In addition, the CJEU further noted that non-EU organizations importing data from the EU based on the SCCs must inform data exporters in the EU of any inability in compliance with SCCs. If non-EU data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection”, the EU data exporter is required to suspend the data transfer and/or terminate the contract. Furthermore, the judgment also restated the role of supervisory authorities in assessing and, where necessary, suspending and prohibiting the transfer of personal data to an importing jurisdiction “where they take the view that the SCCs are not or cannot be complied within that country and that the protection of data transferred that is required by EU law cannot be ensured by other means.” 

Contrary to the approach suggested by Advocate General Saugmandsgaard Øe in his opinion, the CJEU decided to examine the rule on the validity of the EU-U.S. Privacy Shield framework. In its ruling, the CJEU held that the Privacy Shield framework was invalid as “the limitations on the protection of personal data arising from [U.S. domestic legislation] on the access and use [of the transferred data] by U.S. public [agencies].. are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU [legislation], by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” Moreover, the CJEU found that the Privacy Shield framework did not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required by EU legislation. Based on this, the CJEU declared the Privacy Shield invalid. 

Points to Takeaway

Although SCCs remain valid, organizations that currently rely on them will need to reconsider, having regard to the nature of the personal data, the purpose and context of processing, and the country of destination, and the “adequate level of protection” for personal data as required by EU legislation. If the aforementioned considerations are not met, organizations should pursue additional safeguards to be implemented to ensure there is an “adequate level of protection”.

Alternatively, organizations that currently rely on the EU-US Privacy Shield framework need to urgently identify an alternative means of data transfer mechanism to continue the transfer of personal data to U.S. organizations under the current GDPR legislation. Some plausible means might include Binding Corporate Rules as provided under the GDPR.

Click here to read the judgment.


Libertatem.in is now on Telegram. Follow us for regular legal updates and judgment from courts. Follow us on Google News, InstagramLinkedInFacebook & Twitter. You can subscribe to our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

Madras High Court Observes Unexplained Delay in Procedural Safeguards, Quashes Detention Through Writ Petition

A Writ Petition was filed under Article 226 to issue a writ of Habeas Corpus. The petitioner P. Lakshmi, called for records of the...

UK Court of Appeal Rules Home Department’s Deportation Policy of Immigrants Unlawful

Britain’s Court of Appeal quashed the Home Department’s deportation policy, declaring it unlawful; criticizing it for being too stringent on immigrants to comply with. Background The...

Inordinate and Unexplained Delay in Considering Representation by Government Renders Detention Order Illegal: Madras High Court

A Petition under Article 226 of the Constitution was filed in the Madras High Court to declare the detention order of the husband of...

Privy Council Clarifies Approach To Winding up in “Deadlock” Cases in the Case of Chu v. Lau

The Judicial Committee of the Privy Council clarified several aspects of the law concerning just and equitable winding-up petitions, as well as shareholder disputes...

Madras High Court Directs Hospital To Submit Necessary Medical Reports to Authorization Committee for Approval of Kidney Transplant

A Writ Petition was filed under Article 226 to issue a Writ of Mandamus to K.G. Hospital, Coimbatore by P. Sankar & V. Sobana....

Punjab Woman Evokes Petition for Protection Fearing Honour Killing

In the case of Divya Mattu and another vs State of Punjab and others, the petitioner, Divya, fearing honour killing against her by her...

Punjab Woman Accuses Punjab Police of Keeping Husband in Illegal Custody and Framing Him in a False Case

In the case of Geeta v the State of Punjab, the petitioner evoked a writ petition of habeas corpus as she claimed that her...

Addition of Words as Prefixes or Suffixes Is an Infringement of a Registered Trademark: Delhi High Court

Justice Jayanth Nath allowed the Times Group to use its registered trademark “Newshour”, in the case of Bennett Coleman and Co. Ltd v. ARG Outlier...

Just Because the Deceased Did Not Have License, Does Not Imply He Was Negligent: Chhattisgarh High Court

In the case of Hemlal & Others v. Dayaram & Others, a Single Bench of Chhattisgarh High Court consisting of Justice Sanjay S. Agrawal annunciated various...

Hoardings Are Movable Property Under Section 2(3) of DMC Act Subject To the Twin Test: Delhi High Court

Delhi High Court in the case of Delhi International Airport v South Delhi Metropolitan Corporation discussed in detail the provision under Section 2(3) of the DMC...

More Articles Like This

- Advertisement -