|Author (Corporate)||Cardiff EDC|
Judgment from the Court of Justice of the European Union (CJEU) relating to the transfer of personal data by a private company from a European Union (EU) Member State to a private company in a third country for commercial purposes. It concerns specifically the legality of standard contractual clauses (SCCs) as a mechanism to transfer personal data outside the EU. The judgment became known as the Schrems II judgment.
Directive (EU) 2016/679 - also known as the General Data Protection Regulation (GDPR) - establishes that transfer of personal data to third countries may, in principle, take place only if the third country in question ensures an adequate level of data protection. As in the case of other users residing in the European Union (EU), some or all of Maximillian Schrems's personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States (US), where it undergoes processing.
Mr Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. The Schrems I judgment eventually resulted in the annulment by the CJEU of the European Commission's Decision 2000/520/EC - the Safe Harbour Decision - which considered the United States to provide an adequate level of protection. Mr Schrems was later asked to reformulate his complaint in light of the judgment.
The complaint claims that the United States does not offer sufficient protection of data transferred to that country. Mr Schrems seeks the suspension or prohibition of future transfers of his personal data from the EU to the US, which Facebook Ireland carries out pursuant to standard data protection clauses set out in Annex to Commission Decision 2010/87. In June 2018, the CJEU was again asked on the validity of such Decision. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 - the Privacy Shield Decision - on the adequacy of the protection provided by the Privacy Shield agreed between the EU and the US. The CJEU was also asked on the validity of this Decision.
The CJEU found on 16 July 2020 that examination of Decision 2010/87 in the light of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision. However, the Court also declared the invalidation of the Privacy Shield Decision.
|Subject Categories||Values and Beliefs|
|Subject Tags||EU Law, Fundamental | Human Rights|
|Keywords||CJEU Judgments, Data Privacy | Protection, EU-US Privacy Shield | Safe Harbor, Facebook
|Countries / Regions||Ireland, United States|
|International Organisations||European Union [EU]|