Data Transfer Mechanisms To Be Reviewed By CJEU After Irish Supreme Court Dismisses Facebook Appeal

On 31 May 2019, the Supreme Court of Ireland dismissed Facebook's appeal of the Irish High Court decision to refer questions regarding, among other things, the adequacy of the EU-U.S. Privacy Shield and the European Commission's Standard Contractual Clauses to the Court of Justice of the EU (the "CJEU"). The CJEU will hear the case (C-311/18) on 9 July 2019.


Under the General Data Protection Regulation 2016/679 (the "GDPR"), and the Data Protection Directive before that, transfers of personal data outside of the European Economic Area ("EEA") are permitted only where the recipient country has been deemed adequate by the European Commission, where the transfer is made subject to "appropriate safeguards", or where a specific "derogation" can be relied on.[1] As the European Commission has not found that the U.S. is an "adequate" country from a data protection perspective,[2] regular transfers of personal data from the EEA to the U.S. are generally made in reliance on appropriate safeguards, the most commonly relied upon being the European Commission's Standard Contractual Clauses (the "SCCs"). Additionally, transfers can be made to U.S. organisations that have self-certified under the EU-U.S. Privacy Shield (the "Privacy Shield").

In 2013, data privacy lawyer and activist Max Schrems ("Schrems") made a complaint to the Irish Data Protection Commissioner, which eventually resulted in a reference being made by the Irish High Court to the CJEU.[3] Schrems's complaint focused on the adequacy of the EU-U.S. Safe Harbor, the Privacy Shield's predecessor. In particular, the CJEU were asked to consider whether the Safe Harbor provided adequate protection for EU persons' personal data transferred to the U.S., in light of the wide derogations from its principles permitted for national security, among other things. The CJEU found that adequate protection was not afforded by the Safe Harbor and invalidated the European Commission's decision.[4]

This latest case follows on from the original complaint brought by Schrems to the Irish Data Protection Commissioner, this time examining the alternative methods for data transfers relied on by Facebook following the invalidation of the Safe Harbor. The Irish High Court's reference to the CJEU includes eleven questions which test the ability of the SCCs and Privacy Shield to protect the fundamental rights of EU data subjects when their information is transferred to the U.S.

Facebook's appeal


To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT