• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

Irish High Court Refers Schrems 2.0 to the ECJ

April 13, 2018 By Justin Hemmings and Privacy & Data Security Team

On April 11, Justice Caroline Costello of the Irish High Court referred the Schrems 2.0 case to the Court of Justice of the European Union (ECJ) with 11 questions for the ECJ to answer. Per Justice Costello, the sole issue in the case is whether the European Commission’s Decisions regarding standard contractual clauses (SCCs) are valid, which is reflected in the 11 questions posed.

The reference asks the ECJ to determine:

  • Whether provisions of EU law related to national security, public security, defense, and state security apply to transfers of data outside the EU under SCCs;
  • Whether relevant EU law or EU Member State laws are the appropriate comparator for determining if a violation of individual rights occurred (and whether to include EU Member States’ national security practices in that comparator);
  • Whether the assessment of a third country’s level of privacy protection should include administrative, regulatory and compliance practices, policy safeguards, procedures, protocols, oversight mechanisms, and non-judicial remedies;
  • Whether transfer of personal data from the EU to the U.S. under valid SCCs violates the rights of individuals under Articles 7 and/or 8 of the Charter of Fundamental Rights of the European Union (the Charter) (note – these articles state the rights to data protection and privacy);
  • Whether the level of protection afforded by the U.S. respects the essence of an individual’s right to a judicial remedy for breach of data privacy rights as guaranteed under the Charter, and if so, whether limitations imposed by U.S. law on access to judicial remedies are necessary and proportionate for national security in a democratic society according to Article 52 of the Charter;
  • What level of protection is required for personal data transferred to a third country pursuant to SCCs in light of the Data Protection Directive and the Charter, and what factors should be reviewed in determining the adequacy of the level of protection offered by a third country;
  • Whether the SCCs can include additional safeguards per Article 26(2) of the Data Protection Directive sufficient to cure any deficiencies for third countries where national authorities may require a data importer to make personal data received under an SCC available for national security purposes;
  • Whether a data protection authority (DPA) can use its own discretion in determining whether to suspend data flows to a third country data importer if the DPA believes that country’s surveillance laws conflict with relevant EU law;
  • Whether the Privacy Shield Decision constitutes a finding that the U.S. has an adequate level of privacy protection, and if not, what relevance the Privacy Shield Decision has in assessing the adequacy of U.S. privacy safeguards related to SCCs;
  • Whether the provision of the Privacy Shield ombudsperson under the Privacy Shield Decision, in combination with existing U.S. law, ensures a remedy compatible with Article 47 of the Charter; and
  • Whether the SCC Decision violates the Charter.

In addition to the questions posed in the referral, Justice Costello also included findings of fact based on the submitted expert testimonies and the parties’ arguments before the Court. Justice Costello found that Section 702 of the Foreign Intelligence Surveillance Act, which includes the PRISM and Upstream programs, conducts “mass indiscriminate processing of data by the United States government agencies” (Para. 33). Justice Costello also included a number of findings regarding the U.S. surveillance law, how the PRISM and Upstream programs operate, available privacy remedies for individuals whose privacy rights are impacted by U.S. surveillance, the limitations on those remedies, and U.S. systemic safeguards and oversight mechanisms.

Copies of expert testimonies provided in Schrems 2.0 are available at IAPP.org. A full copy of Professor Peter Swire’s (Holder Chair at the Georgia Tech Scheller College of Business and Senior Counsel at Alston & Bird) testimony, including a French translation of the summary chapter and a series of related essays, is available here.

Filed Under: Data Protection, International, National Security, Privacy Litigation, Privacy Shield Tagged With: Cross-border, EU Data Protection, EU Privacy, European Union (EU), International Data Transfers, Litigation, Schrems 2.0

Reader Interactions

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Countdown to CCPA Effective Date


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


PRIVACY MAILINGS
Click Here to Sign Up

FOLLOW US
on Twitter Click Here


Secondary Sidebar

Categories

Recent Posts

  • Alston & Bird Expands Privacy and Cybersecurity Capabilities with Former FTC Veteran
  • Treasury Announces Sanctions Against Cybercriminal Group Behind ‘Dridex’ Malware, Offering Mitigation Strategies for Businesses
  • Critical Audit Matters Disclosure Implicates Information Technology and Security
  • SHIELD Act Overhauls New York’s Data Breach Notification Framework
  • Alston & Bird Details 21 Potentially Significant Impacts from Draft CCPA Regulations
Copyright © 2019 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy