Framework for EU-US data flows under scrutiny as ‘Schrems II’ case takes place at the CJEU

For those unfamiliar with the Schrems saga, a brief catch-up may be required. The original case, now known as ‘Schrems I,’ involved an Austrian activist, Max Schrems, filing a complaint with the Irish Data Protection Agency against Facebook. The complaint was that Facebook had allowed US authorities to access his personal data on social media in violation of EU data protection law. This case ultimately found its way to the Court of Justice of the European Union (CJEU) and resulted in the invalidation of the ‘Safe Harbor Framework,’ which was the framework companies relied on to transfer data from the EU to the US. This is largely because legislation in the States does not have adequate limits on what data authorities may access.

With the Safe Harbor Framework invalidated, the Irish DPA asked Max Schrems to reformulate the case. On the 9th July, ‘Schrems II’ was heard at the CJEU in Luxembourg. This case took aim at EU Standard Contractual Clauses (SCC), which Facebook has been relying to legitimise its international data flows. Advocates for Schrems also called for invalidation of the EU-US Privacy Shield, arguing it provides inadequate protection and privacy to data subjects.

The hearing included many supporters of SCC, who emphasised the role of DPAs in enforcing SCC and suspending data flows where necessary and appropriate. The CJEU will likely not reach a decision until early 2020, but with the two remaining frameworks for legitimate EU-US data flows under such heavy scrutiny, data protection practitioners should be preparing for the impact these potential invalidations will have on their clients’ or their companies’ data flows.

Harry Smithson, July 2019