The importance of data privacy has become more and more prevalent in the wider context of cyber-security. The recent case (known as Schrems II) heard by the Court of Justice for the European Union, (CJEU) has ramifications that could be a lot more far-reaching than initially thought when it comes to cross-border data transfers and personal information being shared amongst different countries.
In 2015, Austrian activist Max Schrems filed a complaint with the Irish DPA against Facebook, that allowed US Authorities to gain access to his personal data in violation of EU data protection law. This case was then escalated to the CJEU whereby a judgement was given that invalidated the ‘Safe Harbor Network’ a mechanism that many companies relied on to legitimize data flows between the EU and the US.
The Continuation of the Schrems Saga:
On July 9, 2019 the Schrems case continued onto its second part with the main parties involved in the proceedings – the plaintiff Max Schrems, the Irish data protection commissioner (“Irish DPA”) and Facebook Ireland – all in attendance at court.
Additionally, a few other stakeholders were part of the proceedings including the representatives of the European Parliament, the European Commission, several EU member states, as well as the US Government.
The CJEU’s judgement in the case is not expected until early 2020, but it has the potential to have a significant impact on the EU data protection landscape, as it could invalidate EU Standard Contractual Clauses, a mechanism that imposes strict safeguards on companies transferring personal data cross border.
As a consequence, the validity of other transfer mechanisms such as the EU/US Privacy Shield would also come into question, leaving companies with limited options to legitimize the international data flows essential for business.
The possible resulting scenario is that personal data transfers between the EU and US would be prohibited, while transfers to other countries who do not have such strict data protection laws such as China, would not.
The Global Implications:
The global implications of this litigation is that countries not covered by the Court decision will still to be able to obtain personal information with data protection that is still developing. This ‘imbalance’ would subsequently raise trade issues by discriminating against one trading partner (the US) while allowing countries such as China to abuse the data they receive.
While the CJEU and main parties involved in this case must consider the hugely significant practical implications of the decisions they will make, organizations wishing to be proactive about their responsibilities as custodians of personal information can take a data-first approach to mitigating risk and achieving compliance during cross border transfers.
Learn how to maximize the security and usability of sensitive data in The Hitchhiker’s Guide to Privacy by Design.