SlideShare ist ein Scribd-Unternehmen logo

ECJ Press Release in Schrems II Decision

Internet Law Center
Internet Law Center

Summary of European Court of Justice's July 2020 decision in Schrems v Facebook (aka Schrems II)

Recht
1 von 3
Downloaden Sie, um offline zu lesen
www.curia.europa.eu Press and Information Court of Justice of the European Union PRESS RELEASE No 91/20 Luxembourg, 16 July 2020 Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield However, it considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid. The General Data Protection Regulation1 (‘the GDPR’) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection.2 In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies.3 Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.4 Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As in the case of other users residing in the European Union, some or all of Mr Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. Mr Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/5205 (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘the Schrems I judgment’).6 Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr Schrems’s complaint, the Irish supervisory authority asked Mr Schrems to reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was invalid. In his reformulated complaint, Mr Schrems claims that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses set out in the Annex to Decision 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1). 2 Article 45 of the GDPR. 3 Article 46(1) and (2)(c) of the GDPR. 4 Article 49 of the GDPR. 5 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 p.7). 6 Case:C-362/14 Schrems see also Press Release No. 117/15.
2010/87.7 Taking the view that the outcome of Mr Schrems’s complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield8 (‘the Privacy Shield Decision’). By its request for a preliminary ruling, the referring court asks the Court of Justice whether the GDPR applies to transfers of personal data pursuant to the standard data protection clauses in Decision 2010/87, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court also raises the question of the validity both of Decision 2010/87 and of Decision 2016/1250. In today’s judgment, the Court of Justice finds that examination of Decision 2010/87 in the light of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision. However, the Court declares Decision 2016/1250 invalid. The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR. Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country. Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer. Next, the Court examines the validity of Decision 2010/87. The Court considers that the validity of that decision is not called into question by the mere fact that the standard data protection clauses in that decision do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred. However, that validity, the Court adds, depends on whether the decision includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of 7 Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100). 8 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016 L 207, p. 1).
personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. The Court finds that Decision 2010/87 establishes such mechanisms. In that regard, the Court points out, in particular, that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. Lastly, the Court examines the validity of Decision 2016/1250 in the light of the requirements arising from the GDPR, read in the light of the provisions of the Charter guaranteeing respect for private and family life, personal data protection and the right to effective judicial protection. In that regard, the Court notes that that decision enshrines the position, as did Decision 2000/520, that the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country. In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. On the basis of the findings made in that decision, the Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. The Court adds that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities. As regards the requirement of judicial protection, the Court holds that, contrary to the view taken by the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services. On all those grounds, the Court declares Decision 2016/1250 invalid. NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. The Court of Justice does not decide the dispute itself. Unofficial document for media use, not binding on the Court of Justice. Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery Press contact: Jacques René Zammit  (+352) 4303 3355 Pictures of the delivery of the judgment are available from "Europe by Satellite”  (+32) 2296 4106

Empfohlen

Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedBulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedCohenGrigsby
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on SchremsGreg Sterling
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenEdouard Nguyen
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_enGreg Sterling
 
edpl_2016_01-020
edpl_2016_01-020edpl_2016_01-020
edpl_2016_01-020Stephanie Michail
 
Fpr pd6 a
Fpr pd6 aFpr pd6 a
Fpr pd6 aPAINalison
 
UK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & ChangeUK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & ChangeDavid Erdos
 
Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Greg Sterling
 

Empfohlen

Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedBulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedCohenGrigsby
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on SchremsGreg Sterling
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenEdouard Nguyen
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_enGreg Sterling
 
edpl_2016_01-020
edpl_2016_01-020edpl_2016_01-020
edpl_2016_01-020Stephanie Michail
 
Fpr pd6 a
Fpr pd6 aFpr pd6 a
Fpr pd6 aPAINalison
 
UK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & ChangeUK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & ChangeDavid Erdos
 
Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Greg Sterling
 
Is the parallel competence set out in regulation 12003 totally clear. case co...
Is the parallel competence set out in regulation 12003 totally clear. case co...Is the parallel competence set out in regulation 12003 totally clear. case co...
Is the parallel competence set out in regulation 12003 totally clear. case co...Michal
 
Uk data retention review ver 3.0
Uk data retention review ver 3.0Uk data retention review ver 3.0
Uk data retention review ver 3.0Amr El-Deeb
 
Facebook_a privacy defender or a privacy traitor
Facebook_a privacy defender or a privacy traitorFacebook_a privacy defender or a privacy traitor
Facebook_a privacy defender or a privacy traitorAlexia-Nefeli Dumas
 
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...eichhornn
 
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...Om Prakash Poddar
 
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...Om Prakash Poddar
 
20200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc3111820200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc31118Internet Law Center
 
EU-US Data Privacy Framework
EU-US Data Privacy FrameworkEU-US Data Privacy Framework
EU-US Data Privacy FrameworkQuotidiano Piemontese
 
Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...
Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...
Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...Sectie Intellectueel Eigendom en IT-recht van Dirkzwager advocaten & notarissen
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?Seb Oram
 
Evertio Schrems II
Evertio Schrems IIEvertio Schrems II
Evertio Schrems IIFanny Surjana
 
GRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal dataGRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal datajoanna_kornas
 
Data retention directive is invalid
Data retention directive is invalidData retention directive is invalid
Data retention directive is invalidMonica Lupașcu
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingSilesia SEM
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Right to be forgotten en
Right to be forgotten enRight to be forgotten en
Right to be forgotten enLoyanne Rathburn-Dintelmann
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsblogzilla
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training) Elizabeth Baker, JD, CRCMP
 
Didier Reynders letter to the EU Parliament
Didier Reynders letter to the EU ParliamentDidier Reynders letter to the EU Parliament
Didier Reynders letter to the EU ParliamentLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Data Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborData Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborGayle Gorvett
 
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSHAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSThomas O. Dubuisson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 

Weitere ähnliche Inhalte

Was ist angesagt?

Is the parallel competence set out in regulation 12003 totally clear. case co...
Is the parallel competence set out in regulation 12003 totally clear. case co...Is the parallel competence set out in regulation 12003 totally clear. case co...
Is the parallel competence set out in regulation 12003 totally clear. case co...Michal
 
Uk data retention review ver 3.0
Uk data retention review ver 3.0Uk data retention review ver 3.0
Uk data retention review ver 3.0Amr El-Deeb
 
Facebook_a privacy defender or a privacy traitor
Facebook_a privacy defender or a privacy traitorFacebook_a privacy defender or a privacy traitor
Facebook_a privacy defender or a privacy traitorAlexia-Nefeli Dumas
 
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...eichhornn
 
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...Om Prakash Poddar
 
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...Om Prakash Poddar
 

Was ist angesagt? (6)

Is the parallel competence set out in regulation 12003 totally clear. case co...
Is the parallel competence set out in regulation 12003 totally clear. case co...Is the parallel competence set out in regulation 12003 totally clear. case co...
Is the parallel competence set out in regulation 12003 totally clear. case co...
 
Uk data retention review ver 3.0
Uk data retention review ver 3.0Uk data retention review ver 3.0
Uk data retention review ver 3.0
 
Facebook_a privacy defender or a privacy traitor
Facebook_a privacy defender or a privacy traitorFacebook_a privacy defender or a privacy traitor
Facebook_a privacy defender or a privacy traitor
 
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...
Tribunal 10 december-2014 hearing decision notice and statement of reasons SC...
 
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
 
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...
Complaint Document of Widow Asha Rani Devi to Hon'ble the Chief Justice of In...
 

Ähnlich wie ECJ Press Release in Schrems II Decision

After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?Seb Oram
 
GRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal dataGRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal datajoanna_kornas
 
Data retention directive is invalid
Data retention directive is invalidData retention directive is invalid
Data retention directive is invalidMonica Lupașcu
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingSilesia SEM
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsblogzilla
 
Data Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborData Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborGayle Gorvett
 
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSHAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSThomas O. Dubuisson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?TAG Alliances
 
EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014Krishna De
 
Guidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European UnionGuidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European UnionSilesia SEM
 

Ähnlich wie ECJ Press Release in Schrems II Decision (20)

20200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc3111820200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc31118
 
EU-US Data Privacy Framework
EU-US Data Privacy FrameworkEU-US Data Privacy Framework
EU-US Data Privacy Framework
 
Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...
Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...
Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & ...
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?
 
Evertio Schrems II
Evertio Schrems IIEvertio Schrems II
Evertio Schrems II
 
GRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal dataGRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal data
 
Data retention directive is invalid
Data retention directive is invalidData retention directive is invalid
Data retention directive is invalid
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" ruling
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
 
Right to be forgotten en
Right to be forgotten enRight to be forgotten en
Right to be forgotten en
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developments
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training)
 
Didier Reynders letter to the EU Parliament
Didier Reynders letter to the EU ParliamentDidier Reynders letter to the EU Parliament
Didier Reynders letter to the EU Parliament
 
Data Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborData Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe Harbor
 
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSHAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 
The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?
 
EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014
 
Guidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European UnionGuidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European Union
 
Eu rtbf criteria
Eu rtbf criteriaEu rtbf criteria
Eu rtbf criteria
 

Mehr von Internet Law Center

Blueprint for an AI Bill of Rights _ OSTP _ The White House.pdf
Blueprint for an AI Bill of Rights _ OSTP _ The White House.pdfBlueprint for an AI Bill of Rights _ OSTP _ The White House.pdf
Blueprint for an AI Bill of Rights _ OSTP _ The White House.pdfInternet Law Center
 
Blueprint-for-an-AI-Bill-of-Rights.pdf
Blueprint-for-an-AI-Bill-of-Rights.pdfBlueprint-for-an-AI-Bill-of-Rights.pdf
Blueprint-for-an-AI-Bill-of-Rights.pdfInternet Law Center
 
FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...
FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...
FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...Internet Law Center
 
Oregon Data Broker Law eff 2024.pdf
Oregon Data Broker Law eff 2024.pdfOregon Data Broker Law eff 2024.pdf
Oregon Data Broker Law eff 2024.pdfInternet Law Center
 
Generative Artificial Intelligence and Data Privacy: A Primer
Generative Artificial Intelligence and Data Privacy: A Primer Generative Artificial Intelligence and Data Privacy: A Primer
Generative Artificial Intelligence and Data Privacy: A Primer Internet Law Center
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfInternet Law Center
 
Cyber Security Basics for the WFH Economy
Cyber Security Basics for the WFH EconomyCyber Security Basics for the WFH Economy
Cyber Security Basics for the WFH EconomyInternet Law Center
 
Cyber exploitation-law-enforcement-bulletin
Cyber exploitation-law-enforcement-bulletinCyber exploitation-law-enforcement-bulletin
Cyber exploitation-law-enforcement-bulletinInternet Law Center
 
Data Privacy Day - Five Ways to Help Employees be Privacy Aware
Data Privacy Day - Five Ways to Help Employees be Privacy AwareData Privacy Day - Five Ways to Help Employees be Privacy Aware
Data Privacy Day - Five Ways to Help Employees be Privacy AwareInternet Law Center
 
Cyber Report: A New Year with New Laws
Cyber Report: A New Year with New LawsCyber Report: A New Year with New Laws
Cyber Report: A New Year with New LawsInternet Law Center
 
Dumpson v-Ade-opinion-on-default-judgment (1)
Dumpson v-Ade-opinion-on-default-judgment (1)Dumpson v-Ade-opinion-on-default-judgment (1)
Dumpson v-Ade-opinion-on-default-judgment (1)Internet Law Center
 
A BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTS
A BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTSA BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTS
A BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTSInternet Law Center
 

Mehr von Internet Law Center (20)

Blueprint for an AI Bill of Rights _ OSTP _ The White House.pdf
Blueprint for an AI Bill of Rights _ OSTP _ The White House.pdfBlueprint for an AI Bill of Rights _ OSTP _ The White House.pdf
Blueprint for an AI Bill of Rights _ OSTP _ The White House.pdf
 
Blueprint-for-an-AI-Bill-of-Rights.pdf
Blueprint-for-an-AI-Bill-of-Rights.pdfBlueprint-for-an-AI-Bill-of-Rights.pdf
Blueprint-for-an-AI-Bill-of-Rights.pdf
 
FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...
FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...
FACT SHEET_ Biden-Harris Administration Secures Voluntary Commitments from Le...
 
SEC Cybersecurity Rule.pdf
SEC Cybersecurity Rule.pdfSEC Cybersecurity Rule.pdf
SEC Cybersecurity Rule.pdf
 
Oregon Data Broker Law eff 2024.pdf
Oregon Data Broker Law eff 2024.pdfOregon Data Broker Law eff 2024.pdf
Oregon Data Broker Law eff 2024.pdf
 
Generative Artificial Intelligence and Data Privacy: A Primer
Generative Artificial Intelligence and Data Privacy: A Primer Generative Artificial Intelligence and Data Privacy: A Primer
Generative Artificial Intelligence and Data Privacy: A Primer
 
CCPA proposed privacy regs.pdf
CCPA proposed privacy regs.pdfCCPA proposed privacy regs.pdf
CCPA proposed privacy regs.pdf
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
 
The Road to Schrems II
The Road to Schrems IIThe Road to Schrems II
The Road to Schrems II
 
Cyber Security Basics for the WFH Economy
Cyber Security Basics for the WFH EconomyCyber Security Basics for the WFH Economy
Cyber Security Basics for the WFH Economy
 
FIFA Indictment
FIFA IndictmentFIFA Indictment
FIFA Indictment
 
Cyber exploitation-law-enforcement-bulletin
Cyber exploitation-law-enforcement-bulletinCyber exploitation-law-enforcement-bulletin
Cyber exploitation-law-enforcement-bulletin
 
Data Privacy Day 2020
Data Privacy Day 2020Data Privacy Day 2020
Data Privacy Day 2020
 
Data Privacy Day - Five Ways to Help Employees be Privacy Aware
Data Privacy Day - Five Ways to Help Employees be Privacy AwareData Privacy Day - Five Ways to Help Employees be Privacy Aware
Data Privacy Day - Five Ways to Help Employees be Privacy Aware
 
Cyber Report: A New Year with New Laws
Cyber Report: A New Year with New LawsCyber Report: A New Year with New Laws
Cyber Report: A New Year with New Laws
 
Cal AB 5 - CHAPTER 296
Cal AB 5 - CHAPTER 296Cal AB 5 - CHAPTER 296
Cal AB 5 - CHAPTER 296
 
FTC's Influencer Guide
FTC's Influencer GuideFTC's Influencer Guide
FTC's Influencer Guide
 
Dumpson v-Ade-opinion-on-default-judgment (1)
Dumpson v-Ade-opinion-on-default-judgment (1)Dumpson v-Ade-opinion-on-default-judgment (1)
Dumpson v-Ade-opinion-on-default-judgment (1)
 
Good jobs first backgrounder
Good jobs first backgrounderGood jobs first backgrounder
Good jobs first backgrounder
 
A BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTS
A BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTSA BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTS
A BRIEF HISTORY OF US PRIVACY REGULATION ATTEMPTS
 

Kürzlich hochgeladen

Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxMollyBrown86
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdfSUSHMITAPOTHAL
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteDeepikaK245113
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书SS A
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsAurora Consulting
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...Finlaw Associates
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxSHIVAMGUPTA671167
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptzainabbkhaleeq123
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxRRR Chambers
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)Delhi Call girls
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfKelechi48
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULEsreeramsaipranitha
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubham Wadhonkar
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdflaysamaeguardiano
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxRRR Chambers
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxca2or2tx
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxnyabatejosphat1
 

Kürzlich hochgeladen (20)

Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statute
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
 
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptx
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 

ECJ Press Release in Schrems II Decision

  • 1. www.curia.europa.eu Press and Information Court of Justice of the European Union PRESS RELEASE No 91/20 Luxembourg, 16 July 2020 Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield However, it considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid. The General Data Protection Regulation1 (‘the GDPR’) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection.2 In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies.3 Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.4 Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As in the case of other users residing in the European Union, some or all of Mr Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. Mr Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/5205 (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘the Schrems I judgment’).6 Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr Schrems’s complaint, the Irish supervisory authority asked Mr Schrems to reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was invalid. In his reformulated complaint, Mr Schrems claims that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses set out in the Annex to Decision 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1). 2 Article 45 of the GDPR. 3 Article 46(1) and (2)(c) of the GDPR. 4 Article 49 of the GDPR. 5 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 p.7). 6 Case:C-362/14 Schrems see also Press Release No. 117/15.
  • 2. 2010/87.7 Taking the view that the outcome of Mr Schrems’s complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield8 (‘the Privacy Shield Decision’). By its request for a preliminary ruling, the referring court asks the Court of Justice whether the GDPR applies to transfers of personal data pursuant to the standard data protection clauses in Decision 2010/87, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court also raises the question of the validity both of Decision 2010/87 and of Decision 2016/1250. In today’s judgment, the Court of Justice finds that examination of Decision 2010/87 in the light of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision. However, the Court declares Decision 2016/1250 invalid. The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR. Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country. Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer. Next, the Court examines the validity of Decision 2010/87. The Court considers that the validity of that decision is not called into question by the mere fact that the standard data protection clauses in that decision do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred. However, that validity, the Court adds, depends on whether the decision includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of 7 Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100). 8 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016 L 207, p. 1).
  • 3. personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. The Court finds that Decision 2010/87 establishes such mechanisms. In that regard, the Court points out, in particular, that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. Lastly, the Court examines the validity of Decision 2016/1250 in the light of the requirements arising from the GDPR, read in the light of the provisions of the Charter guaranteeing respect for private and family life, personal data protection and the right to effective judicial protection. In that regard, the Court notes that that decision enshrines the position, as did Decision 2000/520, that the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country. In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. On the basis of the findings made in that decision, the Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. The Court adds that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities. As regards the requirement of judicial protection, the Court holds that, contrary to the view taken by the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services. On all those grounds, the Court declares Decision 2016/1250 invalid. NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. The Court of Justice does not decide the dispute itself. Unofficial document for media use, not binding on the Court of Justice. Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery Press contact: Jacques René Zammit  (+352) 4303 3355 Pictures of the delivery of the judgment are available from "Europe by Satellite”  (+32) 2296 4106