Schrems II before the CJEU: who is responsible?

July 17, 2019 - On Tuesday the 9th of July an important hearing took place before the Court of Justice of the European Union (CJEU) in Luxembourg. The case, initiated by privacy activist Max Schrems, started nearly six years ago and is widely being dubbed ‘Schrems II’. The previous case initiated by Schrems led to the invalidation of the Safe Harbour Framework between the EU and the US, a framework which allowed for the transfer of personal data between the two continents. Schrems II addresses the validity of Standard Contractual Clauses (SCCs). These clauses are used by the majority of companies who transfer personal data from the EU to the US. The case touches upon broader questions in the field of international transfers of personal data. This became even more evident during the eight hour long hearing.

Important parties which were present last week included the European Commission, the European Parliament, the European Data Protection Board, representatives of the US government, the Business Software Alliance and the Irish Data Protection Commissioner. It was this national supervisory authority, the Irish Data Protection Commissioner, that first initiated the process through which the case eventually landed at the CJEU after being referred by the Irish High Court.

Initially, the case was concerned with the international data transfer mechanism used by a specific multinational company. Yet, ever since it came to light, the case attracted the attention to the system of international data transfers, set out under the General Data Protection Regulation (GDPR), between the EU and the US as a whole. Concerns intensified due to the Snowden revelations, which evidenced a high level of surveillance by the US government into personal data transferred to the US. Schrems argued that SCCs – when not enforced properly – did not offer adequate safeguards and that, consequently, personal data which originated from the EU were not adequately protected. He did not, however, aim to invalidate the mechanism of SCCs as a whole. Something which the Irish Data Protection Commissioner, by questioning the overall validity of the mechanism, saw differently.

Back at the hearing before the CJEU last week, this difference primarily led to an interesting debate about who is responsible for improving or taking action upon a potential lack of adequate protection in SCCs currently used for international data transfers. The legal service of the institution which drafted the SCCs more than twenty years ago, the European Commission, said that US law is not the real issue in the case at hand. Rather, they held that what is important is to look at who – the Irish Data Protection Commissioner, the national courts, the European Commission, etc – is responsible for what. Representatives of the US government alluded to something similar by stating the GDPR does not give the EU the mandate to “conduct a worldwide enquiry” of surveillance regimes across the world. Thereby indicating that it is not the responsibility nor mandate of the CJEU or the European Commission to rule on the adequacy of protection provided by SCCs currently used for international data transfers.

Instead, most parties present at the hearing hinted to the fact that it should be the national supervisory authorities that must supervise and enforce SCCs used for international data transfers originating from their respective jurisdictions. The European Data Protection Board, set up to contribute to the consistent application of data protection rules throughout the EU, also pointed to the responsibility of national supervisory authorities in this regard. They held that it should be up to the national supervisory authority, in this case the Irish Data Protection Commissioner, to put a halt to those SCCs used for international data transfers of which it could not be said that adequate safeguards are in place.

All in all, the hearing largely focussed on responsibilities. The hearing effectively emerged into a debate about the following; should certain parties take their responsibility in terms of enforcing SCCs or should the mechanism of SCCs be invalidated as a whole? By looking at the statements made last week, general consensus was that the responsibility lies with national supervisory authorities. Whether SCCs will be invalidated as a whole is thereby increasingly difficult to predict, especially given the disruptive effect that this could entail. Perhaps national supervisory authorities will increase their supervision on the topic at hand over the coming months.

There is a lot to monitor these coming months. Amongst which, how this debate impacts the broader discussions around the EU-US Privacy Shield and what the updated SCCs, which were recently suggested by the European Commission, will look like. For now, what is certain is that the Opinion of the CJEU’s Advocate General in Schrems II will be published on the 12th of December.