DPC statement on CJEU decision
16th July 2020
The Data Protection Commission (DPC) strongly welcomes today’s judgment from the Court of Justice of the European Union (CJEU).
The DPC commenced these proceedings in 2016 precisely because it was concerned that, properly understood, the CJEU’s Safe Harbour judgment of 2015 was to be read as indicating that, for reasons associated with the structure of the legal system in operation in the United States, EU-US data transfers were inherently problematic. Moreover, this was so, whatever the legal mechanism by which such transfers were conducted.
While constrained, in some respects, by facts particular to Mr Schrems’ complaint against Facebook, to include Facebook’s reliance on the Standard Contractual Clauses (SCCs) transfer mechanism, the DPC brought these proceedings – and resisted objections from both Facebook and Mr Schrems - specifically in order to secure a decisive statement of position from the CJEU in relation to the key issues of principle at stake when an EU citizen’s personal data is transferred to the United States.
Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally.
The Court also agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.
Reflecting the complexity of many of the legal issues it addresses, the judgment (and, indeed, the case as a whole) has many layers, each of which will require careful consideration in the coming days and weeks.
So, while in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.
As well as providing clarity on points of substance, today’s judgment also contains important statements of position relating to matters of process, to include the allocation of responsibility between data controllers and national supervisory authorities when it comes to ensuring that the rights of EU citizens are protected in the context of EU/US data transfers. While noting the Court’s reference to the fact that a supervisory authority could not suspend data transfers while an adequacy decision - such as Privacy Shield – was in force, the DPC acknowledges the central role that it, together with its fellow supervisory authorities across the EU, must play in this area. In that regard, we look forward to developing a common position with our European colleagues to give meaningful and practical effect to today’s judgment.