ECJ hears case which could upend international data transfer rules

On 9 July Max Schrems an Austrian privacy activist took a long-running legal battle against Facebook over its data transfers to the U.S. to the European Union's highest court for a second time. 

While the case concerns just one company, it could have wide reaching ramifications for the mechanisms for transferring personal data, and depending on the outcome of the Brexit negotiations, enormous consequences for companies operating in the UK that exchange data with the EU and the rest of the world.

The underlying question on which the European Court of Justice (ECJ) heard arguments is whether Facebook's Dublin-based subsidiary can legally transfer users' personal data to the U.S. parent company. 

However, the full scope of the case means that it brings into question the validity of both the EU-US Privacy Shield and Standard Contractual Clauses (SSC’s). SCCs are a critical part of the data transfer regime under GDPR as they are the primary mechanism to allow an EU company to transfer personal data to another company if that company exists in a country without an EU adequacy agreement. 

Were the ECJ to rule against either Privacy Shield or SCCs as legal forms of transfer, it would significantly reduce the options available to ensure the free flow of personal data. 

Max Schrems also brought the 2013, appeal to the ECJ, following the Edward Snowden revelations, that resulted in the striking down of the EU – US Safe Harbour framework. That decision caused major problems for companies working across the EU and US, with one company reporting having to change 2 million contracts to ensure the legality of data flows. The striking down of Safe Harbour resulted in crisis meetings between the US and the EU to agree a new relationship, resulting in Privacy Shield. 

While Schrems has not brought the case with the aim of invalidating Privacy Shield or SCCs, the Irish court from which this case has been referred has set a total of 11 questions to be answered by the ECJ , these have the potential to result in a decision invalidating both Privacy Shield and the SCCs. Data protection lawyers will therefore be watching the for the ECJ’s decision very closely.

The case also creates a potentially massive headache for UK firms of we were to leave the EU in October with No Deal. Advice from both Government and the Information Commissioner has highlighted that companies preparing for a potential No Deal should ensure that SCCs form part of all personal data transfers from the EU to the UK, in order to ensure they are legally valid in the event of No Deal. Should SCCs then be struck down, this planning could have been for nothing and the already limited options for enabling the free flow of data would be even further restricted. 

The concern highlights again why a No Deal Brexit is such a risk for the tech sector. In order to avoid relying on SCCs the UK will need to go through the process of securing an adequacy decision from the European Commission. An adequacy agreement is achievable during a transition period, but the length of time that this will take is uncertain. The shortest decision was concluded in 18 months and the European commission will not begin the process until the UK is a third country, after it has left the EU. 

The timing of the ECJ case is therefore critical. The first step will be for the Advocates General of the ECJ to issue a preliminary, non-binding opinion to the court. This is  expected on 12 December. The advocates general decision often foreshadows the final ruling of the court meaning we will get a good measure of the likely outcome of the case in December. 

The final, binding, decision from the court is due in early 2020. 

The optimal outcome for the industry is that SSCs are not invalidated as this would have huge ramifications, not just for the UK, but for the global regime for transferring data. techUK will continue to monitor the progress of the case at the ECJ and will seek to advice members on what they can do depending on the outcome. 

  • Neil Ross

    Neil Ross

    Policy Manager | Digital Economy
    T 078 4276 5470

Share this


Today's guest blogs by @Arm and @bt_uk on Accountability and Explainability mark the final day of our…
Great news! techUK has exceeded its fundraising target for @crisis_uk at the #DigitalEthics summit. Thank you to th…
ICYMI we were lucky enough to have Elizabeth Denham @ICOnews deliver her keynote via video to the delegates at our…
Read @Natterbox's @imoyse guest blog for #techUK discussing the future of cloud adoption in policy and business her…
Do you need to present and communicate, sell, influence, overcome objections and shift mindsets? If yes, Storytelli…
On 13 January 2020 as part of techUK's emerging & transformative technologies work we will be launching our Drones…
If you’re an SME and supply to the public sector then we want to hear from you! Complete our GovTech SME Survey and…
Check out this guest blog by #techUK Skills & Diversity Council member @astrid_mehrtens of @AptumTech exploring ho…
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...