Schrems

On Jul 22, 2021, the Irish Joint Committee on Justice (“Committee“) published a report that included a series of recommendations on the work of the Irish Data Protection Commission (“DPC“).  The Committee, made up of 14 politicians from across the political spectrum and drawn from both the Dáil (the elected first house) and Seanad (the senate), issued this report following a public hearing held on April 27, 2021 (see our prior blog post here).  The recommendations in the report address, among other things, concerns raised about the Irish DPC’s oversight and enforcement of the EU General Data Protection Regulation (“GDPR“).
Continue Reading Ireland’s Joint Committee on Justice Publishes Recommendations to Reform the Irish Data Protection Commission

On April 27, 2021, the Irish Oireachtas Committee on Justice met in Dublin to consider recent written submissions received criticising the Irish Data Protection Commission (DPC).  The meeting was divided into two hour-long meetings with the first meeting devoted to the criticisms of Max Schrems, the Austrian privacy campaigner, and Fred Logue, an Irish data protection lawyer.  The second meeting, the longer of the two, heard from Helen Dixon, the Data Protection Commissioner, and the Irish Council of Civil Liberties.

Ten politicians, including the Chair (a lawyer with data law experience), questioned each of the invitees on what was a limited agenda.  Each participant was limited to a five minute opening statement after which member politicians attending queried them.  Discussion of ongoing cases was not permitted.

The Committee scheduled Mr. Schrems and Ms. Dixon on separate panels, presumably to avoid a repeat of Ms. Dixon’s objection to the previous invitation from the European Parliament’s LIBE Committee proposing to hear from both together at the same hearing.  Each in turn were the key participants in their panel discussions.  Mr. Schrems repeated criticisms he has made previously and Ms. Dixon gave a strong defence of her office.
Continue Reading Irish Parliamentary Committee Hearing Discusses Criticism of the Irish DPC

On January 25, 2018, the Court of Justice of the European Union (“CJEU”) handed down a ruling permitting consumer privacy actions to be brought in the consumer’s home jurisdiction — as opposed to the jurisdiction in which the defendant data controller has its main establishment — but not permitting consumer privacy class actions to be brought in a consumer’s home jurisdiction.

Background

Maximilian Schrems (“Schrems”) — an Austrian resident, lawyer and privacy activist (best known for his involvement in litigation relating to the EU-U.S. Safe Harbor and the EU Model Clauses) — brought a class action against Facebook’s Irish-registered office, before the Austrian courts.  Schrems’ action alleges various breaches of Austrian, Irish, and EU data privacy rules, and includes claims for damages arising from these alleged breaches.

Schrems, a Facebook user of ten years, initially registered with Facebook under a false name for personal purposes only, engaging in typical private uses of the site such as to share photos and posts with his 250 or so Facebook Friends.  Then, in 2011, Schrems created a Facebook page to report on his legal proceedings against Facebook Ireland, reference his lectures and media appearances, advertise his books and solicit public donations.

The Austrian Supreme Court sought a preliminary ruling from the CJEU on two points.

  • Whether Schrems is a “consumer” as defined and interpreted under EU law (namely Article 15 of Regulation No. 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters), in relation to his Facebook account, specifically the use of his Facebook page (“the Consumer Issue”).
  • Whether Schrems could bring his action alongside and on behalf other consumers in contractual relationships with Facebook, those consumers numbering more than 25,000 and residing in Austria, other Member States, and outside the EU (“the Class Action Issue”).

Continue Reading CJEU Rejects Consumer Privacy Class Action

On October 3, 2017, the Irish High Court referred Data Protection Commissioner v Facebook Ireland Limited [2016 No. 4809 P.] to the Court of Justice of the European Union (“CJEU”).  The case, commonly referred to as Schrems II, is based on a complaint by Max Schrems concerning the transfer of personal data by Facebook, from Ireland to the United States, using the EU Standard Contract Clauses (“SCCs”).

Background

The SCCs are a European Commission-approved mechanism to legally effect the transfer of personal data from the EEA to third (non-EEA) countries.  The SCCs provide for a contractual arrangement between a EEA-based data exporter and a non-EEA-based data importer of personal data, under which the data importer agrees to abide by EU privacy standards.
Continue Reading Validity of EU Standard Contractual Clauses Referred to CJEU

On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”).  The Agreement was signed in 2014, but the CJEU was asked to determine whether it was compatible with EU data protection law before it is approved by the European Parliament.

The Opinion concluded that a number of provisions relating to the transfer of PNR data – particularly sensitive data – are incompatible with the EU Data Protection Directive (Directive 95/46) and the fundamental rights to privacy and data protection, and the protection against discrimination, under Articles 7, 8 and 21 of the EU Charter of Fundamental Rights (the “Charter”), meaning the Agreement must be renegotiated before it enters into force.

Notably, the CJEU’s opinion was consistent with its recent judgments concerning data transfers to “third countries” (outside the EEA) in Schrems and Tele2/Watson
Continue Reading CJEU: EU-Canada proposed agreement on the transfer of Passenger Name Record data does not conform to EU data protection law standards

Needless to say, the document most of us are reading now is the 209-page General Data Protection Regulation, just agreed upon by the institutions of the European Union.  A few parts are quite a page-turner.  (Parental consent for under-16s to access the Internet? Srsly?)  But even with this scintillating read, we find ourselves reaching for something a bit less, well, dense.

This weekend we can do that without ever leaving the EU-US comparative mindset.  Professors Ken Bamberger and Deirdre Mulligan of the Berkeley Center for Law & Technology have just published a groundbreaking work called Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press).  The book, which expands on the authors’ groundbreaking 2011 article, is based on empirical research that focuses not on what the law says in the EU and the U.S., but how privacy is actually practiced under five countries’ laws – the U.S., U.K., Germany, France, and Spain.  In findings that will be surprising and counterintuitive to some of our European colleagues, Ken and Deirdre find that the strongest privacy management practices are found in the United States and Germany.  That’s right – stronger practices in the U.S. than in France, Spain and the U.K.  I’m looking forward to the European reviews!  And to digging into the details.
Continue Reading Privacy Weekend: Provocative Articles We’re Reading Now

By Monika Kuschewsky and Vera Coughlan

Following the judgment of the Court of Justice of the EU of October 6 in the Schrems case (Case C-362/14) (see our previous blog post here), today, the European Commission issued guidance on transfers of personal data from the EU to the U.S. post Schrems. For the press release see here, Q&As here and the Commission Communication here.

In large, the guidance confirms the status quo and summarizes existing guidance of the Article 29 Data Protection Working Party (“WP29”), the EU advisory body on privacy comprised of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the Commission, and the WP29’s statement of October 16 (see our previous blog post here). Most notably, the Commission joins the WP29 in the position that alternative tools authorizing data flows can still be used by companies for lawful data transfers to third countries, including to the U.S. The Commission then further explains each of these alternative tools in more detail:
Continue Reading European Commission issues guidance on the impact of the Schrems (Safe Harbor) ruling of the EU’s Highest Court

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include:

  • following the Safe Harbor

The Article 29 Data Protection Working Party (“Article 29 WP”), an EU advisory body on data protection composed of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, met in plenary on Thursday, October 15, to discuss the first consequences of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems case (see our previous blog post here). In a press release (see here) on October 16, they emphasize that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.” They will closely observe the pending procedures before the Irish High Court, which is expected to issue a judgment in November, now that the case has been referred back to it by the CJEU.

The key take-aways from the Article 29 WP’s press release are that:

  • data transfers under the European Commission’s Safe Harbor decision after the CJEU judgment are unlawful;
  • the Article 29 WP will analyze the impact of the CJEU judgment on other transfer tools − during this period standard contractual clauses and Binding Corporate Rules (“BCRs”) can still be used;
  • grace period: DPAs will take action, including coordinated enforcement action, if by the end of January 2016 no appropriate solution with the U.S. authorities is found (depending on the assessment of the other transfer tools); and
  • in the meantime, DPAs can investigate in particular cases and exercise their powers to protect individuals, for instance, in case of a complaint.

Continue Reading Article 29 WP On the Schrems Ruling (Safe Harbor) − Latest Developments and Next Steps