CJEU Case C-311/18 | Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

Summary:

Judgment from the Court of Justice of the European Union (CJEU) relating to the transfer of personal data by a private company from a European Union (EU) Member State to a private company in a third country for commercial purposes. It concerns specifically the legality of standard contractual clauses (SCCs) as a mechanism to transfer personal data outside the EU. The judgment became known as the Schrems II judgment.

Further information:

Directive (EU) 2016/679 - also known as the General Data Protection Regulation (GDPR) - establishes that transfer of personal data to third countries may, in principle, take place only if the third country in question ensures an adequate level of data protection. As in the case of other users residing in the European Union (EU), some or all of Maximillian Schrems's personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States (US), where it undergoes processing.

Mr Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. The Schrems I judgment eventually resulted in the annulment by the CJEU of the European Commission's Decision 2000/520/EC - the Safe Harbour Decision - which considered the United States to provide an adequate level of protection. Mr Schrems was later asked to reformulate his complaint in light of the judgment.

The complaint claims that the United States does not offer sufficient protection of data transferred to that country. Mr Schrems seeks the suspension or prohibition of future transfers of his personal data from the EU to the US, which Facebook Ireland carries out pursuant to standard data protection clauses set out in Annex to Commission Decision 2010/87. In June 2018, the CJEU was again asked on the validity of such Decision. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 - the Privacy Shield Decision - on the adequacy of the protection provided by the Privacy Shield agreed between the EU and the US. The CJEU was also asked on the validity of this Decision.

The CJEU found on 16 July 2020 that examination of Decision 2010/87 in the light of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision. However, the Court also declared the invalidation of the Privacy Shield Decision.

Commentary and Analysis

GDPR Hub: CJEU - C-311/18 - Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems https://gdprhub.eu/CJEU_-_C-311/18_-_Data_Protection_Commissioner_v_Facebook_Ireland_Limited_and_Maximillian_Schrems

DLA Piper: Blog, 01/07/2019: Schrems 2.0 - The Demise of Standard Contractual Clauses and Privacy Shield? https://blogs.dlapiper.com/privacymatters/schrems-2-0-the-demise-of-standard-contractual-clauses-and-privacy-shield/

European Law Blog, 15/07/2019: The US, China, and Case 311/18 on Standard Contractual Clauses https://europeanlawblog.eu/2019/07/15/the-us-china-and-case-311-18-on-standard-contractual-clauses/

PwC: News, 17/07/2019: The Schrems 2.0 case and its potential effect on international data transfers to the US or elsewhere https://www.pwclegal.be/en/news/the-schrems-2-0-case-and-its-potential-effect-on-international-d.html

Leuven University: CiTiP Blog, 13/08/2019: Schrems II: “A hard rain’s a-gonna fall” on the international transfers of EU personal data? https://www.law.kuleuven.be/citip/blog/schrems-ii-a-hard-rains-a-gonna-fall-on-the-international-transfers-of-eu-personal-data-the-very-uncertain-future-of-the-standard-contractual-clauses-and/

NOYB: Prep-Document for December 19th 2019: C-311/18 Facebook Ireland and Schrems (“Schrems II”), Advocate General Opinion (18 December 2019) https://noyb.eu/sites/default/files/2020-03/ag_prep_en.pdf

White&Case: Alerts, 20/12/2019: EU Data Transfer Restrictions – No changes for now https://www.whitecase.com/publications/alert/eu-data-transfer-restrictions-no-changes-now

EU Law Analysis, 21/12/2019: The AG Opinion in Schrems II: Facebook, national security and data protection law http://eulawanalysis.blogspot.com/2019/12/the-ag-opinion-in-schrems-ii-facebook.html

DLA Piper: Blog, 23/12/2019: Europe: "Schrems 2.0" 5 Takeaways from the Advocate General's Opinion https://blogs.dlapiper.com/privacymatters/europe-schrems-2-0-5-takeaways-from-the-advocate-generals-opinion/

European Law Blog, 07/01/2020: International data transfers, standard contractual clauses, and the Privacy Shield: the AG Opinion in Schrems II https://europeanlawblog.eu/2020/01/07/international-data-transfers-standard-contractual-clauses-and-the-privacy-shield-the-ag-opinion-in-schrems-ii/

Maastricht University: Blog, 16/05/2020: 16 July: the most important date of the year (for privacy people, that is…) https://www.maastrichtuniversity.nl/blog/2020/05/16-july-most-important-date-year-privacy-people-%E2%80%A6

Norton Rose Fulbright: Publication, July 2020: Schrems II landmark ruling: A detailed analysis https://www.nortonrosefulbright.com/en/knowledge/publications/ad5f304c/schrems-ii-landmark-ruling-a-detailed-analysis

Politico, 13/07/2020: The EU court ruling that could blow up digital trade https://www.politico.eu/article/us-china-data-flows-at-risk-in-top-eu-court-ruling/

RTÉ News, 15/07/2020: The Facebook data privacy case - all you need to know https://www.rte.ie/news/business/2020/0715/1153460-facebook-schrems-ecj/

EU Law Analysis, 16/07/2020: “You Were Only Supposed to Blow the Bloody Doors Off!”: Schrems II and external transfers of personal data http://eulawanalysis.blogspot.com/2020/07/you-were-only-supposed-to-blow-bloody.html

European Law Blog, 21/07/2020: After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe https://europeanlawblog.eu/2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutional-implications-for-europe/

DLA Piper: Insights, 27/07/2020: EU-US Privacy Shield is no more. What now for employers After Schrems II? https://www.dlapiper.com/en/uk/insights/publications/2020/07/eu-us-privacy-shield-is-no-more/

Statewatch: News, 19/08/2020: 'Schrems II' fallout: talks begin on "an enhanced EU-U.S. Privacy Shield framework" https://www.statewatch.org/news/2020/august/schrems-ii-fallout-talks-begin-on-an-enhanced-eu-u-s-privacy-shield-framework/

Verfassungsblog, 25/08/2020: Schrems II Re-Examined https://verfassungsblog.de/schrems-ii-re-examined/

Digital Europe, 31/08/2020: An early analysis of Schrems II – key questions and possible ways forward https://www.digitaleurope.org/resources/an-early-analysis-of-schrems-ii-key-questions-and-possible-ways-forward/

---

News

Deutsche Welle, 09/07/2019: ECJ hears landmark case over Facebook data security https://p.dw.com/p/3LmTY

Bloomberg, 09/07/2019: Facebook Faces Activist, EU Judges in ‘Schrems II’ Privacy Case https://www.bloomberg.com/news/articles/2019-07-09/facebook-faces-activist-eu-judges-in-schrems-ii-privacy-case

AP News, 19/12/2019: EU court boost for activist in Facebook data transfer fight https://apnews.com/32cd88d05897f31e5b4d1bcd3d1ade83

Politico, 19/12/2019: Top EU lawyer backs legality of international data transfers https://www.politico.eu/article/adviser-to-europes-top-court-backs-legality-of-data-transfer-mechanism/

EurActiv, 19/12/2019: Facebook, privacy activist Schrems battle nears end https://www.euractiv.com/section/data-protection/news/facebook-privacy-activist-schrems-battle-nears-end/

Delano, 19/12/2019: Facebook wins 1st round in latest Schrems battle at ECJ https://delano.lu/d/detail/news/facebook-wins-1st-round-latest-schrems-battle-ecj/208924

RTÉ News, 13/07/2020: EU top court to rule in landmark Facebook, Schrems privacy case https://www.rte.ie/news/business/2020/0713/1153033-facebook/

Reuters, 13/07/2020: EU top court to rule in landmark Facebook, Schrems privacy case https://www.reuters.com/article/idUSKCN24E1NM

BBC News, 16/07/2020: EU-US Privacy Shield for data struck down by court https://www.bbc.co.uk/news/technology-53418898

Reuters, 16/07/2020: Top EU court ditches transatlantic data transfer deal https://www.reuters.com/article/idUSKCN24G391

The Guardian, 16/07/2020: Tech firms like Facebook must restrict data sent from EU to US, court rules https://www.theguardian.com/technology/2020/jul/16/tech-firms-like-facebook-must-restrict-data-sent-from-eu-to-us-court-rules

EurActiv, 16/07/2020: EU-US data transfers at critical risk as ECJ invalidates Privacy Shield https://www.euractiv.com/section/digital/news/eu-us-data-transfers-at-critical-risk-as-ecj-invalidates-privacy-shield/

Politico, 16/07/2020: EU court ruling strikes hammer blow to transatlantic data flows https://www.politico.eu/article/eu-court-ruling-strikes-hammer-blow-to-transatlantic-data-flows/

RTÉ News, 16/07/2020: EU court rules EU-US data protection agreement invalid https://www.rte.ie/news/2020/0716/1153586-facebook-privacy-courts/

Bloomberg, 16/07/2020: EU Court Blocks Data Pact Amid Fears Over U.S. Surveillance https://www.bloomberg.com/news/articles/2020-07-16/eu-court-bans-privacy-shield-data-transfer-pact

EUObserver, 17/07/2020: EU top court bins 'Privacy Shield' in Schrems privacy case https://euobserver.com/science/148969

---

Official

CJEU CURIA: Case C-311/18 | Facebook Ireland and Maximillian Schrems http://curia.europa.eu/juris/documents.jsf?num=C-311/18

CJEU: Press Release, 19/12/2019: Advocate General’s Opinion in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-12/cp190165en.pdf

Ireland: Data Protection Commission: Press Release, 19/12/2019: DPC statement on AG opinion on case # C-311/18 CJEU https://www.dataprotection.ie/en/news-media/press-releases/dpc-statement-ag-opinion

CJEU: Press Release, 16/07/2020: Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems https://curia.europa.eu/jcms/jcms/p1_3117870/en/

European Commission: Opening remarks by Vice-President Jourová and Commissioner Reynders at the press point following the judgment in case C-311/18 Facebook Ireland and Schrems (16 July 2020) https://ec.europa.eu/commission/presscorner/detail/en/statement_20_1366

Ireland: Data Protection Commission: Press Release, 16/07/2020: DPC statement on CJEU decision https://www.dataprotection.ie/en/news-media/press-releases/dpc-statement-cjeu-decision

EU EDPS: Press Release, 17/07/2020: EDPS Statement following the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”) https://edps.europa.eu/press-publications/press-news/press-releases/2020/edps-statement-following-court-justice-ruling-case_en

EU EDPB: Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (24 July 2020) https://edpb.europa.eu/our-work-tools/our-documents/other/frequently-asked-questions-judgment-court-justice-european-union_en

European Parliament: Legislative Observatory: Procedure File for Resolution on Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) - Case C-311/18 (2020/2789(RSP) https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2020/2789(RSP)

---