The CJEU has released its judgment in the long running Max Schrems/Facebook Ireland story. We explain what the case is about and why it's important.
To recap (and as set out in our briefing following the Advocate General's preliminary opinion at the end of last year), Max Schrems objected to the transfer by Facebook of his personal data from the EU to the US, following revelations made by one Mr Edward Snowden about access by US surveillance authorities to personal data. The initial case resulted in the downfall of the US "Safe Harbor" regime, which had been put in place as a mechanism for allowing personal data to be transferred from the EEA to the US in a way which complied with EU data protection laws requiring destination countries outside the EEA to keep the data safe and to the same standards as set out in the EEA. This decision of the CJEU, is important because it examined the ongoing validity of two important mechanisms, mandated by the General Data Protection Regulation 2016 (GDPR), for transferring personal data outside the EEA in such as a way as to maintain the safety of that data in the destination country:
- The EU-US Privacy Shield, which was put in place to replace the US "Safe Harbor" regime, and which supposedly addressed the privacy concerns with the "Safe Harbor" so that EEA based businesses could continue to transfer personal data to their US counterparts which had signed up and complied with the new regime; and
- Standard contractual clauses, which are a set of European Commission approved clauses which data exporters and importers sign up to, obliging them to keep personal data exported outside the EEA, safe. There are two sets of clauses – clauses for use between data controllers, and clauses for use in respect of transfers from data controllers to data processors. The CJEU decision examined the latter set of clauses, but the reasoning could also be applied to controller to controller clauses.