August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

CJEU’s Judgment on Validity of EU Standard Contractual Clauses Due July 16, 2020

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in theSchrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.

The CJEU’s Advocate General (“AG”) released his non-binding opinion on the case in December 2019, stating that the SCCs provide sufficient protection for EU personal data, but raising the possibility that businesses that rely on them may need to take a proactive role in evaluating whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The AG also raised concerns regarding the Privacy Shield, an alternative mechanism for transferring personal data from the EU to the U.S.

The judgment will be of great importance to businesses around the globe, the vast majority of which rely on SCCs to transfer personal data from the EU to the U.S., and to numerous other jurisdictions. If the CJEU rules that the SCCs are not valid, companies will need to put in place alternate transfer mechanisms, potentially on short notice. Further, such a ruling would impact preparations for transferring personal data from the EU to the UK following termination of the Brexit transition period on December 31, 2020. At present, most businesses are preparing to use SCCs for these transfers.

Background to Schrems II

The case stems from a complaint filed by privacy advocate Max Schrems with the Irish Data Protection Commissioner (“Irish DPA”) in 2015, challenging Facebook Ireland’s use of the SCCs to transfer personal data to Facebook Inc. in the U.S. Specifically, Schrems alleged that the SCCs do not ensure an adequate level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law. A key concern was that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner incompatible with privacy rights guaranteed in the EU under the Charter of Fundamental Rights.

Accordingly, Schrems argued that there was no remedy allowing EU data subjects to ensure protection of their personal data once it had been transferred to the U.S. Following the complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, challenging the validity of the SCCs, and referring 11 questions to the CJEU for a preliminary ruling.

View our previous blog posts on the progression of the case in May 2016October 2017August 2018July 2019 and May 2020.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 195


About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct