TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | CJEU's 'Schrems II' decision slated for July 16 Related reading: The advocate general's 'Schrems II' opinion: What it says and means

rss_feed

""

""

In one of the most highly anticipated court cases in data protection, the Court of Justice of the European Union announced via Twitter Thursday that case C-311/18 — Facebook Ireland and Schrems — will be delivered July 16. The so-called "Schrems II" case will decide whether standard contractual clauses are a valid means of transferring data under the EU General Data Protection Regulation. 

Last December, Court of Justice of the European Union Advocate General Henrik Saugmandsgaard Øe released his non-binding opinion of the case. In her analysis of the opinion, Caitlin Fennessy, CIPP/US, IAPP's research director and former Privacy Shield Director at the U.S. International Trade Administration, said the advocate general's opinion reaffirmed "the sufficiency of (SCCs), but (called) into question U.S. protections for personal data in the national security context."  

Though the opinion did not call for invalidation of SCCs, Fennessy noted that "the opinion perpetuates the uncertainty that has plagued data transfers for at least a decade. That is because the opinion suggests that companies and data protection authorities should assess the sufficiency of foreign countries' national security protections on a case-by-case basis." 

According to IAPP research, 88% of companies that transfer data out of the EU rely on SCCs, while 60% use Privacy Shield. Saugmandsgaard Øe, in his opinion, said of Privacy Shield, "I conclude from foregoing that there is no need to examine the validity of the (Privacy Shield) decision," but noted that "the establishment of the ombudsperson does not to my mind provide a remedy before an independent body offering the persons whose data are transferred a possibility of relying on their right of access to the data or of contesting any infringements of the applicable rules by the intelligence services." 

Fennessy said at the time, "If the full court follows the direction of the advocate general, it would preserve the European Commission’s adequacy determination for Privacy Shield, while still calling the sufficiency of its protections in the national security sphere into question. That may lead Privacy Shield participants to consider a belt-and-suspenders approach in which they sign model contracts, as well." 

Photo by Elena Mozhvilo on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

1 Comment

If you want to comment on this post, you need to login.

  • comment Gregory Albertyn • May 15, 2020
    If the CJEU formally confirms the AG's opinion, I wonder what will be the continued value of Privacy Shield for many multinationals? Many operate in markets both inside and outside EEA, or have service providers or data hubs outside the EEA or US. Given the relative flexibility and broader scope of SCC's, why maintain Privacy Shield and all the associated resource overhead, if SCC's are sufficient alone? Particularly, where it seems both regimes are plagued with the same basic uncertainty over national security practices in the US.