On July 9, 2019, the Court of Justice of the European Union heard oral arguments on a landmark case concerning Facebook’s transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. See here for more info.
The oral hearing took place in front of 15 judges that heard the parties to the proceeding in addition to four amicus curiae, several EU institutions and Member States, and the European Data Protection Board (EDPB).
Below some of the most relevant points from EDPB’s oral pleading:
- With regard to the first preliminary question on standard contractual clauses (SCCs) the EDPB positioned that the SCCs have a general scope, not related to any specific third country. “They are provided for an individual transfer contract from an EU-exporter to a third country importer.” Therefore, the competent Data Protection Authority (DPA) shall – on the basis of a complaint – assess whether the exporter and importer complied with their obligations under the SCCs. If not, the DPA may suspend the specific transfers, but does not have the power to issue a general ban of transfers to a specific third country.
- The continuity of the protection afforded under EU laws needs to be ensured, also during the stage of transit to a third country, no matter which transfer tool is used.
- The adoption of an adequacy decision creates a presumption with respect to the level of protection. The EDPB noted while in the Privacy Shield adequacy decision reference was made to data in transit, the level of protection during the stage of transit was not discussed during any Privacy Shield Joint Reviews. More on Privacy Shield is available at https://www.technethics.com…
- In relation to the third preliminary question on the level of protection required, all domestic rules should be taken into account when making an assessment of adequacy on the legal framework of a third country.
- With reference to the fourth preliminary question, on access to personal data by a public authority in the specific context of the Privacy Shield, the EDPB “stressed the importance of more specific safeguards for these measures, for example for precise targeting to determine whether an individual or a group can be a target of surveillance, and for strict scrutiny of individual targets by an independent authority ex-ante.”
- The EDPB welcomed the establishment of the Ombudsperson mechanism as a new redress mechanism, but it stressed that it can’t be considered an “effective remedy before a tribunal”, since it may lack powers to access information and to remedy noncompliance.
The EDPB’s oral pleading before the Court of Justice of the EU in Case C-311/18 (Facebook Ireland and Schrems) is available at https://edpb.europa.eu…
For assistance on the GDPR, feel free to contact us at: http://www.cgcfirm.com…