European Court of Justice Schrems Ii Decision
Schrems II is the most frequently used abbreviation in the case brought by Max Schrems Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18); an Austrian lawyer, data protection expert and founder of noyb – an organisation that aims to bring data protection disputes under the GDPR before EU courts. However, as the name suggests, the Schrems II case was the second high-profile case raised by Schrems in connection with international data transfers between the EU and the US. On 16 July 2020, the CJEU delivered its judgment in the Schrems II case, in which it declared the EU-US Privacy Shield decision invalid but confirmed the validity of the SCCs. Speaking to OneTrust DataGuidance, Eduardo Ustaran, Partner and Global Co-Head of Privacy and Cybersecurity Practice at Hogan Lovells, said: “The impact of this decision is immediate and global. It goes much further than repealing the Privacy Shield, as it requires companies to consider other countries` data access powers when participating in global data flows. The impact of Schrems II on the transfer of data from the EEA to the UK after the end of the Brexit transition period on 31 December 2020 is of concern in the longer term; UK surveillance laws could be subject to similar criticism to that of the US, making an adequacy decision by the European Commission less likely and casting doubt on the use of SCCs in these circumstances. The CJEU found that the European Commission`s adequacy provision of the Privacy Shield was invalid for two main reasons. First, the Court found that the US surveillance programmes assessed by the Commission in its Privacy Shield decision are not limited to what is strictly necessary and proportionate under EU law and therefore do not comply with the requirements of Article 52 of the Charter of Fundamental Rights of the European Union. Second, the Court found that the persons concerned in the European Union do not have an actionable remedy in relation to US surveillance and are therefore not entitled to an effective remedy in the United States, as required by Article 47 of the Charter of the European Union. It is not (yet) clear what additional measures would be sufficient to address these concerns, and in reality this could prove to be an impossible and impractical task. While adequacy decisions provide a degree of certainty about which countries meet the threshold of protection, in the absence of “deficiency decisions”, it will be extremely difficult for companies to say with certainty which countries do not. Therefore, when using SCCs to justify the transfer of data, it is advisable to seek legal advice on whether and what additional safeguards may be necessary.
U.S. intelligence agencies may use personal information originally transferred from Europe to the United States for business purposes. As a result, the CJEU insisted that the US grant individuals in Europe “enforceable rights of appeal” to US courts that are “substantially equivalent” to data protection rights within the EU. The Luxembourg-based CJEU, the EU`s judicial authority, concluded that US intelligence law does not offer such individualised protection. A key question in both Schrems cases was how national security agencies work to maintain security and ensure a sufficient level of privacy, and whether this is compatible with the GDPR. The GDPR`s attempt to extend EU data protection rights and obligations to countries and entities receiving EU personal data reflects a broad dynamic that, given the global free flow of data, the ability of national security authorities to access each other`s personal data must also be globalized by national data protection standards to be effective. Nevertheless, governments often offer different levels of privacy protection and redress depending on whether a person is a citizen and whether they are. Under the Fourth Amendment to the Constitution, the United States offers people in the United States different remedies than outside the United States, including access to U.S. courts.
The GDPR aims to extend all rights and obligations available in the EU under the GDPR to any country that receives personal data from the EU. The 16. In July 2020, the Court of Justice of the European Union (CJEU) delivered a judgment in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), in which it ruled that the Privacy Shield Framework Decision for data transfers between the EU and the United States (the “Privacy Shield”) is invalid, thus limiting the options available for the exchange of personal data between the two regions.12 The CJEU also clarified that strict controls and possibly “additional measures” may be needed before companies can rely on standard contractual clauses to justify international data transfers. The main rule of the GDPR is that transfers outside the EU and EEA are prohibited unless an appropriate security measure can be taken. First, there are the adequacy decisions of the European Commission, in which the European Commission, after a thorough development of national laws, has come to the conclusion that a country`s data protection laws are essentially as good as the GDPR. Next, secure transfer mechanisms outside the EU/EEA, before Schrems II: Privacy Shield, EU Standard Contractual Clauses and binding corporate rules (only for intra-group transfers). There are also possible exceptions to the general principle that a beneficiary country must have an adequate level of protection in the derogations provided for in Article 49. The CJEU decision in Schrems I and Schrems II, which invalidated the EU-U.S. SAFE HARBOR agreement and, in this most recent case, invalidated the EU-U.S. Privacy Shield, is based on a discrepancy between the international impact of the GDPR and its national application to Member States` national security authorities.
Both Schrems cases concerned the US government`s access to personal data for national security purposes and the rights of EU citizens in the US to judicial review and redress. In both cases, the CJEU concluded that the US had not provided protection and redress in the EU after the EU personal data. With regard to access to data for national security purposes, under EU law, including the GDPR, any restriction on EU privacy rights must be “necessary and proportionate”.5 At the same time, national security is the sole responsibility of Member States.6 In fact, each EU state is free to reconcile national security needs with data protection rights.