You most likely remember the case brought forth by privacy activist and lawyer Max Schrems which questions whether the methods used by technology companies, and specifically Facebook, to transfer data outside of the EU adequately protects the personal data from American surveillance.
Last year the Irish High Court indeed determined that there were doubts about the legality of cross-border transfers of data to the United States using standard contractual clauses and Privacy Shield and ordered the case to be referred to the European Court of Justice.
Facebook appealed the ruling which subsequently brought the case to the Irish Supreme Court. After last Friday’s decision, the question concerning the legality of data transfer mechanisms will finally be heard in July.
This case could have serious implications for companies operating in the EU which are engaged in the transfer of European citizen’s data to the United States, especially after the invalidation of Safe Harbor when many entities began relying on the European Commission’s Standard Contractual Clauses, which are considered to provide adequate safeguards to EU citizens. It remains to be seen how the CJEU will rule, especially given that they are not responsible for finding alternative feasible measures to ensure global dataflows.
It is, however, of utmost importance that the CJEU finally takes a decision on this much-debated subject. It goes without saying that the fundamental rights of data subjects should take center stage in the decision of the Court. At the same time, however, the Court should consider the needs for companies to engage in transatlantic data flows and that for the last two years many companies have built business models around the Standard Contractual Clauses and Privacy Shield. For sure it is not an easy task to balance effective privacy rights for data subjects while also considering feasible subsequent solutions for data flows, but it must be done in the interest of both EU citizens and the global economy.