In the case between Max Schrems and the Irish Data Protection Authority, the AG says the authority must decide if US surveillance practices comply with EU privacy standards.
Background: The European Court of Justice (ECJ) is currently examining a dispute between an Austrian Facebook user, Max Schrems, and the Irish Data Protection Authority. This follows from a previous case in which the ECJ ruled that the Safe Harbour regime, which underpinned personal data transfers between the EU and the US, was invalid.
What the new case is about: After the demise of Safe Harbour, the case had to restart with Schrems asking Facebook to identify the legal bases for the transfer of personal data from the EU to the United States. In response, Facebook referred to an agreement based on standard contractual clauses set out by the European Commission in 2010. Schrems then challenged that agreement, and questioned the validity of the standard clauses decided by the EC arguing that there are no remedies a person can invoke in the US to safeguard their privacy against surveillance.
How it got back to the ECJ: The Irish Data Protection Commission (DPC) sought to determine whether the US ensure adequate protection of the personal data of EU citizens and, if not, whether standard contractual clauses offer sufficient safeguards. It then brought proceedings to the High Court of Ireland, referring those questions to the ECJ. This week, the Advocate General of the ECJ issued his opinion on the matter, stating that nothing suggests that the EC’s decision of 2010 is invalid in general. However, it could be in breach of the Charter of Fundamental Rights of the EU in the absence of sufficiently sound mechanisms to suspend or ban transfers when clauses are breached or impossible to honour. Data controllers, or data protection authorities when controllers fail to act, have the responsibility to ensure such mechanism is in place.
What does this mean for data transfers to the US? Firstly, the Privacy Shield framework is safe. The AG’s opinion is not binding for the ECJ, which will rule on the case in 2020, although the court often takes the AG’s stance on board. Secondly, the AG said this ruling will not say question the validity of Privacy Shield; it will leave the Irish DPC to decide on that, and on whether standard clauses are a sufficient safeguard. However, the AG still questioned extensively the effectiveness of Privacy Shield; in particular, the way the Ombudsperson Mechanism is set up does not provide an independent extrajudicial remedy. Should the DPC side with such a stance, Privacy Shield could face the same fate as Safe Harbour in a not so distant future.