The Court of Justice of the European Union Invalidates Privacy Shield Framework in the Schrems II Case

Must Read

Police To Decide on the Entry of Farmers To Delhi on Republic Day Says Supreme Court

While the Supreme Court heard a plea seeking an injunction against the tractor rally that is scheduled for January 26th, it held that it is the decision of the Delhi Police officers to see whether the protesting farmers should get entry into Delhi on Republic Day.

[Sushant Singh Rajput Case]: Republic TV & Times Now Hindered Investigation Probe Says Bombay HC

In November last year, the Court had reserved its judgement on the PILs that came from 8 former police officers from Maharashtra, lawyers, activists and NGOs, seeking restraining orders against the media trial in the Sushant Singh Rajput case.

Women Advocates Move To Supreme Court Against the Delhi HC Orders on Resuming Physical Hearing

Another writ petition has been filed by women advocates in the Supreme Court against the decision of the Delhi HC of directing the expansion of physical hearing of cases within the National Capital Territory of Delhi without giving an option to litigants to be represented by their lawyers virtually.

Gujarat High Court Allows Report Filed by Official Liquidator for Dissolution of the Company

The present report had been filed by the Official Liquidator for the dissolution of M/s AtRo Limited under the...

[WhatsApp Privacy Policy Row] It’s a Private App, Don’t Use It; Says Delhi High Court

On Monday, while hearing a petition regarding the privacy policy of WhatsApp, the Delhi High Court said, “It is a private app. Don't join it. It is a voluntary thing, don't accept it. Use some other app.”

Madras High Court Asks the State To Reconsider Number of Seats Allotted for Bcm Category

Mr. Shakkiya filed a Writ Petition under Article 226 of the Indian Constitution to issue a Writ of Mandamus....
Moshiuzzaman
Moshiuzzaman holds a 2:1 LL.B degree from BPP University (UK). He is currently pursuing the CFA chartership and working as an independent legal researcher at the American Society of International Law (ASIL)

Follow us

The Court of Justice of the European Union (EJEU) declared its landmark judgment in the Schrems II case. In its judgment the Court concluded that the Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to data processors established outside the European Union (EU) were valid; however, unexpectedly, the court held the EU-U.S. Privacy Shield was invalid. 

Background

The case in question concerned Maxmillian Schrems, an Austrian privacy advocate, who had filed a complaint to the Irish Data Protection Commissioner in 2015, contesting Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the United States. Facebook had been relying on SCCs after the CJEU invalidated that U.S.EU Safe Harbor Framework in 2015, following a challenge by the same privacy advocate (Schrems I case).

In this case, Schrems argued that the SCCs did not ensure an adequate level of protection for EU data subjects, as the United States’ legislation did not explicitly limit interference with an individual’s right to protection of personal data in the same manner as the EU data protection legislation, namely, the General Data Protection Regulation (GDPR).

A key concern in the dispute was whether EU personal data might be at risk of being accessed and processed by the United States government once transferred, in a manner which is incompatible with privacy rights guaranteed by the Charter of Fundamental Rights and where there was any remedy available to EU individual to ensure the protection of their personal data after transfer to the United States. In pursuit of the complaint, the Irish Data Protection Commissioner brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling under Art 267 of the Treaty of Function on the Functioning of the European Union (TFEU). The preliminary questions concerned the validity of the SCCs but also concerned the EU-U.S. Privacy Shield framework.

The CJEU’s Ruling

Regarding SCCs, the CJEU primarily followed the non-binding opinion of the CJEU’s Advocate General Saugmandsgaard Øe. The CJEU held that SCCs provided sufficient protection for EU personal data. However, the Court held that EU organizations which relied on SCCs must take a proactive role in evaluating, before any transfer, whether there was, in fact, an “adequate level of protection” for personal data in the importing jurisdiction. Moreover, organizations may implement additional safeguards, over and above contained in the SCCs, to ensure “an adequate level of protection” for the personal data transferred. In addition, the CJEU further noted that non-EU organizations importing data from the EU based on the SCCs must inform data exporters in the EU of any inability in compliance with SCCs. If non-EU data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection”, the EU data exporter is required to suspend the data transfer and/or terminate the contract. Furthermore, the judgment also restated the role of supervisory authorities in assessing and, where necessary, suspending and prohibiting the transfer of personal data to an importing jurisdiction “where they take the view that the SCCs are not or cannot be complied within that country and that the protection of data transferred that is required by EU law cannot be ensured by other means.” 

Contrary to the approach suggested by Advocate General Saugmandsgaard Øe in his opinion, the CJEU decided to examine the rule on the validity of the EU-U.S. Privacy Shield framework. In its ruling, the CJEU held that the Privacy Shield framework was invalid as “the limitations on the protection of personal data arising from [U.S. domestic legislation] on the access and use [of the transferred data] by U.S. public [agencies].. are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU [legislation], by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” Moreover, the CJEU found that the Privacy Shield framework did not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required by EU legislation. Based on this, the CJEU declared the Privacy Shield invalid. 

Points to Takeaway

Although SCCs remain valid, organizations that currently rely on them will need to reconsider, having regard to the nature of the personal data, the purpose and context of processing, and the country of destination, and the “adequate level of protection” for personal data as required by EU legislation. If the aforementioned considerations are not met, organizations should pursue additional safeguards to be implemented to ensure there is an “adequate level of protection”.

Alternatively, organizations that currently rely on the EU-US Privacy Shield framework need to urgently identify an alternative means of data transfer mechanism to continue the transfer of personal data to U.S. organizations under the current GDPR legislation. Some plausible means might include Binding Corporate Rules as provided under the GDPR.

Click here to read the judgment.


Libertatem.in is now on Telegram. Follow us for regular legal updates and judgment from courts. Follow us on Google News, InstagramLinkedInFacebook & Twitter. You can subscribe to our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

Police To Decide on the Entry of Farmers To Delhi on Republic Day Says Supreme Court

While the Supreme Court heard a plea seeking an injunction against the tractor rally that is scheduled for January 26th, it held that it is the decision of the Delhi Police officers to see whether the protesting farmers should get entry into Delhi on Republic Day.

[Sushant Singh Rajput Case]: Republic TV & Times Now Hindered Investigation Probe Says Bombay HC

In November last year, the Court had reserved its judgement on the PILs that came from 8 former police officers from Maharashtra, lawyers, activists and NGOs, seeking restraining orders against the media trial in the Sushant Singh Rajput case.

Women Advocates Move To Supreme Court Against the Delhi HC Orders on Resuming Physical Hearing

Another writ petition has been filed by women advocates in the Supreme Court against the decision of the Delhi HC of directing the expansion of physical hearing of cases within the National Capital Territory of Delhi without giving an option to litigants to be represented by their lawyers virtually.

Gujarat High Court Allows Report Filed by Official Liquidator for Dissolution of the Company

The present report had been filed by the Official Liquidator for the dissolution of M/s AtRo Limited under the provisions of Section 497 (6)...

[WhatsApp Privacy Policy Row] It’s a Private App, Don’t Use It; Says Delhi High Court

On Monday, while hearing a petition regarding the privacy policy of WhatsApp, the Delhi High Court said, “It is a private app. Don't join it. It is a voluntary thing, don't accept it. Use some other app.”

Madras High Court Asks the State To Reconsider Number of Seats Allotted for Bcm Category

Mr. Shakkiya filed a Writ Petition under Article 226 of the Indian Constitution to issue a Writ of Mandamus. The petition sought to direct...

Gujarat High Court Directs To Register Name of Petitioners in the Society Records as Owners of Property, as per Will

A single-judge bench of Gujarat High Court consisting of Honourable Justice Biren Vaishnav, because probate wasn’t necessary and that the petitioners were entitled to...

If No Complaint Is Filed, No Further Orders Are Required To Be Passed: Telangana High Court

Excerpt In Matlakunta Sundaramma vs The State Of Telangana, on January 8, 2021, the Telangana High Court decided that there is no requirement of passing...

Gujarat High Court Allows Report Filed by Official Liquidator for Dissolution of the Company

The present report had been filed by the Official Liquidator for the dissolution of M/s AtRo Limited under the provisions of Section 497 (6)...

Parents of Road Accident Victim Entitled To Compensation: Delhi High Court

Justice JR Midha said, “Even if parents are not dependent on their children at the time of an accident, they will certainly be dependent, both financially and emotionally, upon them at the later stage of their life, as the children were dependent upon their parents in their initial years.”

More Articles Like This

- Advertisement -