The Court of Justice of the European Union ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Judgment in Case C-311/18

Abstract

On 16th July, 2020, The Court of Justice for the European Union (CJEU) delivered its verdict in the case brought by Maximillian Schrems against Facebook Ireland. The court’s finding was that EUUS Privacy Shield is invalid, while the Standard Contractual Clauses (SCCs) remained a lawful way to transfer data. This finding is a blow to the US administration and the thousands of businesses relying on it. Many of those companies must remember that the previous framework for data transfers between the regions was found invalid in 2015: Safe Harbour. Now, EU–US data transfers have limited options. The SCCs were found by the CJEU court to only be valid if each processing activity involving an EU to US data transfer is assessed individually, that risks are appropriately mitigated and the rights of data subjects can be guaranteed. This puts an additional compliance burden on smaller businesses. This case study discusses how difficult it is to argue with the court’s decision. The requirement now is to fix the underlying issues surrounding intelligence gathering to make it more transparent, build trust and to establish a framework that balances an individual’s privacy rights with the needs of intelligence agencies.