On 16 October 2015 the Article 29 Working Party issued a statement on the recent ruling of the Court of Justice of the EU in Schrems v. Facebook. Although the tone of the statement is quite general, it reflects the positions and views of European DPAs on the transfer of personal data to the US and on the consequences of the judgment. Moreover, apart from illustrating the next steps European institutions should take in their negotiations with the US, this statement provides a few guidelines for European businesses that would allow them to implement the Court’s judgment.
The issues dealt with in the judgement are complex. While they will require careful consideration, what is immediately clear is that the Court has reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data. That is very much to be welcomed.
In articulating the level of responsibility that the national data protection authorities in each member state will bear, the judgement also clarifies the mechanisms by which data privacy rights must be protected by national data protection supervisory authorities, and the relationship between those authorities and the European Commission.
The judgement will now be considered by the Irish High Court, the High Court having referred a number of questions to the CJEU in relation to the “safe harbour” scheme in July 2014. I immediately instructed the DPC legal team this morning to take whatever actions are necessary to bring the case back as soon as practicable before the Irish High Court. The High Court has listed the matter for Tuesday 20 October at 10.15am.
In declaring the old “safe harbour” rules invalid, however, the significance of the judgement extends far beyond the case presently pending in Ireland. In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgement can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”
See also the Statement from Data Protection Commissioner, Helen Dixon in respect of High Court Case 2013/765 JR – Schrems of 20 October 2015, (https://www.dataprotection.ie/viewdoc.asp?Docid=1498&Catid=66&StartDate=1+January+2015&m=n%29) which states “I welcome today’s ruling from Judge Hogan which brings these proceedings to a conclusion. My Office will now proceed to investigate the substance of the complaint with all due diligence.” This refers to the High Court of Ireland judgement Schrems -v- Data Protection Commissioner.
Analytical evaluation of information systems gives rise to recordsPosition Paper of the ULD on the judgment of the Court of Justice of the European Union of 6 October 2015, Schrems v. Facebook (C-362/14)
On 14 October 2015 the DPA of the German state of Schleswig-Holstein issued a position paper commenting on the judgment of the Court of Justice of the EU in the case Schrems v. Facebook. Although the position paper reflects the stance of this DPA exclusively and has limited reach, it contains interesting arguments which criticise the views of the European Commission on the transfer of personal data to the US. According to the DPA data protection standards in the US are inadequate to protect EU citizens and data transfer mechanism other than the Safe Harbour will pose the same problems raised by the Court of Luxembourg in Schrems v. Facebook.
In the wake of the judgment of the European Court of Justice on the Safe Harbour scheme in the case Schrems v. Facebook German federal and state data protection authorities gathered together and issued a joint position paper. Their common position follows the judgment and views expressed by the Court of Luxembourg. In addition, it sheds light on some key aspects of the ruling and on its interpretation by DPAs, governmental authorities and private companies.