In one of the most highly anticipated court cases in data protection, the Court of Justice of the European Union announced via Twitter Thursday that case C-311/18 — Facebook Ireland and Schrems — will be delivered July 16. The so-called "Schrems II" case will decide whether standard contractual clauses are a valid means of transferring data under the EU General Data Protection Regulation.
Last December, Court of Justice of the European Union Advocate General Henrik Saugmandsgaard Øe released his non-binding opinion of the case. In her analysis of the opinion, Caitlin Fennessy, CIPP/US, IAPP's research director and former Privacy Shield Director at the U.S. International Trade Administration, said the advocate general's opinion reaffirmed "the sufficiency of (SCCs), but (called) into question U.S. protections for personal data in the national security context."
Though the opinion did not call for invalidation of SCCs, Fennessy noted that "the opinion perpetuates the uncertainty that has plagued data transfers for at least a decade. That is because the opinion suggests that companies and data protection authorities should assess the sufficiency of foreign countries' national security protections on a case-by-case basis."
According to IAPP research, 88% of companies that transfer data out of the EU rely on SCCs, while 60% use Privacy Shield. Saugmandsgaard Øe, in his opinion, said of Privacy Shield, "I conclude from foregoing that there is no need to examine the validity of the (Privacy Shield) decision," but noted that "the establishment of the ombudsperson does not to my mind provide a remedy before an independent body offering the persons whose data are transferred a possibility of relying on their right of access to the data or of contesting any infringements of the applicable rules by the intelligence services."
Fennessy said at the time, "If the full court follows the direction of the advocate general, it would preserve the European Commission’s adequacy determination for Privacy Shield, while still calling the sufficiency of its protections in the national security sphere into question. That may lead Privacy Shield participants to consider a belt-and-suspenders approach in which they sign model contracts, as well."
Photo by Elena Mozhvilo on Unsplash
If you want to comment on this post, you need to login.