• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
+49 (0) 69 / 606 278 – 0
[email protected]
Contact form
Patent- & Rechtsanwaltskanzlei

Patent- & Rechtsanwaltskanzlei

  • Deutsch

+49 (0) 69 / 606 278 – 0

  • Facebook
  • Twitter
  • Instagram
  • LinkedIn
  • xing
  • Email
MENUMENU
  • Services
    • Advice On Protective IP Rights
    • Patent Application /TM Registration
    • Enforcement Of IP Rights
    • Defence Against IP Rights Enforcement
    • Costs
  • Company
    • Fields of Law
      • Patent Law
      • Utility Model Law
      • Employees‘ Inventions
      • Trademark Law
      • Design Law
      • Trademark and Product Piracy
      • Expert Opinions
    • Our Law Firm
      • Dr. Karl-Hermann Meyer-Dulheuer
      • Dr. Tim Meyer-Dulheuer
      • Dr. Klaus Zimmermann
      • Zhichao Ying
      • Dr. Christoph Hölscher
    • Commitment
  • Contact
    • Where To Find Us
    • Write us!
    • Request call back
  • Blog

ECJ and Facebook: Transfer of personal data to the USA

16. July 2020

The European Court of Justice today handed down a remarkable ruling in the long-running lawsuit by Austrian lawyer Schrems regarding the transfer of personal data from Facebook Ireland to the USA. The USA is no longer granted a standardised appropriate level of protection for personal data – a ruling with relevance for all economic connections to the USA.

EuGH: Facebook personenbezogene Daten

Today’s ECJ ruling brings more clarity to the application of the European General Data Protection Regulation (GDPR) and the protection of personal data.

According to the ECJ ruling, the GDPR applies to the transfer of personal data to a third country for commercial purposes, even if they are used by the country’s secret services. Above all, however, the US level of protection of personal data has today been declared invalid in accordance with the adequacy of the protection provided by the EU-US data protection shield (DSS Decision). The USA is thus deprived of a standardised adequate level of protection for personal data.

Schrems vs. Facebook Ireland lawsuit that has attracted public attention

Seven years ago, a high-profile lawsuit between Mr. Schrems and Facebook began, in which Mr. Schrems essentially demanded that Facebook Ireland be prohibited from transferring its personal data to the United States.

He argued that Facebook Inc. was obliged under American law to make the personal data it had transferred available to American authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

Facebook Ireland stated that a large part of the personal data is transferred to Facebook Inc. on the basis of the standard privacy clauses contained in the Annex to the SCC Decision. The SCC  Decision (Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46) has been in force since 2010 and governs the transfer of personal data to third countries.

Mr. Schrems objected to this and referred to the Charter of Fundamental Rights of the European Union, on the basis of which the SCC decision could not justify the transfer of personal data to the United States.

In its judgment today, the European Court of Justice (ECJ) therefore ruled on the interpretation and validity of the SCC Decision in the context of the EU Decision on the Adequacy of the Protection afforded by the EU-US Data Protection Shield of 2016 (DSS Decision). This is because, according to the DSS Decision, the United States ensures an adequate level of protection for personal data.

The legal situation is also complicated by the European Basic Regulation on Data Protection (GDPR), which has now entered into force. This is because Directive 95/46 was actually repealed and replaced by the DSGVO with effect from 25 May 2018. Therefore, the ECJ stated today, the questions referred for a preliminary ruling must be answered on the basis of the provisions of the DSGVO and not of Directive 95/46, even if they refer to the provisions of Directive 95/46.

Questions referred: Validity of the SCC decision and the DSS decision under GDPR

In particular, the question had to be answered as to whether personal data could also be transferred on the basis of the SCC Decision from a private company from a Member State of the Union to a private company in a third country for a commercial purpose – and this also under the provisions of the GDPR. Today’s ruling is all the more important because the national supervisory authorities of the EU Member States are empowered to check whether the requirements laid down in the GDPR are complied with when personal data are transferred from their Member State to a third country.

The questions referred for a preliminary ruling therefore also concerned the question of the level of protection afforded by Articles 46(1) and 46(2) of the GDPR when personal data are transferred to a third country on the basis of standard data protection clauses. The court should also decide whether the competent national supervisory authority is obliged to suspend or prohibit a transfer of personal data to a third country based on standard data protection clauses (such as the SCC and DSS Decisions) if it finds that there has been a breach of the requirements under the GDPR.

ECJ: Third countries must ensure an adequate level of protection

The ECJ confirmed the latter question. National supervisory authorities would have to take action and prohibit the transfer of personal data if the requirements of the GDPR were violated. But this only applies to third countries that do not offer an adequate level of protection. And according to the DSS Decision, the United States ensures an adequate level of protection for personal data.

There must be a level of protection of enforceable rights that is equivalent in substance to the level guaranteed in the Union by the GDPR in the light of the Charter, the ECJ explained. In practice, it may not be possible to ensure the effective protection of personal data transferred to the third country in question if the law of that third country allows its authorities to interfere with the rights of data subjects with regard to those data.

SCC decision is valid

However, this is regulated by the SCC Decision. The controller established in the Union and the recipient of the transfer of personal data is obliged to check in advance whether the level of protection required by Union law is respected in the third country concerned. Under clause 5(b) of the Annex to the SCC Decision, the recipient of the transfer may be obliged to notify the controller that he cannot comply with the clauses, whereupon the controller must suspend the data transfer and/or withdraw from the contract. The SCC Decision therefore provides effective mechanisms for dealing with violations of the requirements of the GDPR.

The SCC Decision is therefore valid, also in relation to the Charter of Fundamental Rights and the GDPR in the EU, the ECJ ruled.

ECJ declares DSS decision invalid

In contrast, the ECJ assessed the DSS Decision differently. The court confirmed that the practice of the USA to pass on a collective collection of personal data to its secret services did not in fact correspond to the European level of protection. On the other hand, the U.S. ombudsman mechanism gives each individual the possibility of appealing to an independent and impartial court to obtain access to personal data concerning him or her or to have such data corrected or deleted – in the USA.

However, this would not provide guarantees equivalent to those required under Article 47 of the Charter. Therefore, the ECJ annulled the DSS Decision, which has so far confirmed to the United States an adequate level of protection for personal data.

Sources: 

Urteil EuGH zu Schrems vs. Facebook Ireland, EU:C:2020:559

Image:

Simon | pixabay.com | CCO License

  • share  
  • share 
  • share 
  • tweet 
  • share 

Category iconOverall,  Generell Tag iconECJ,  Schrems,  breach of GDPR,  SCC Decisions,  Facebook,  GDPR,  Facebook Ireland,  personal data,  Austrian Schrems,  DSS Decision,  national supervisory authorities

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

More articles about: Overall

All articles

Blog Menu

  • Design Law
  • Healthcare & Lifesciences
  • International Intellectual Property
  • Licenses
  • News from our law firm
  • Overall
  • Patent Law
  • Product- and Trademark piracy
  • Trademark Law

Recent Posts

  • BPatG: Patent claim of cancer drug on active substance as salt 7. March 2022
  • Grant for European IP Protection: SME Fund 2022 4. March 2022
  • CODE-X vs. Cody’s: Likelihood of confusion in drinks? 25. February 2022
  • EOS lip balm no 3D trademark – appeal before ECJ not admissible 24. February 2022

Fields of Law

  • Patent Law
  • Utility Model Law
  • Employees’ Inventions
  • Trademark Law
  • Design Law
  • Trademark and Product Piracy
  • Expert Opinions
  • Costs

Das könnte Sie auch interessieren:

12. July 2019
CJEU confirms cartel of optical drive manufacturers

CJEU confirms cartel of optical drive manufacturers

2. April 2019
Revocation of online purchase of a mattress – even without protective film

Revocation of online purchase of a mattress – even without protective film

17. January 2019
Amazon Dash Button banned in Germany

Amazon Dash Button banned in Germany

19. December 2018
Online purchase of mattress: AG strengthens consumer protection

Online purchase of mattress: AG strengthens consumer protection

23. October 2018
File sharing – Protection of family life no longer first

File sharing – Protection of family life no longer first

29. August 2018
No right of withdrawal for consumers at German trade fairs

No right of withdrawal for consumers at German trade fairs

Contact us or request a call back

+49 (0) 69 / 606 278 – 0
[email protected]
Request a call back

Footer

Contact

Hanauer Landstrasse 287
D – 60314 Frankfurt am Main
Deutschland
+49 (0) 69 / 606 278 – 0
+49 (0) 69 / 606 278 – 199
[email protected]

Office Hours
Moday – Friday:   08:00-18:00

Fields of Law

  • Patent Law
  • Utility Model Law
  • Employees’ Inventions
  • Trademark Law
  • Design Law
  • Trademark and Product Piracy
  • Expert Opinions
  • Costs

Law Firm

  • Request non-binding call back
  • Company
  • Our Law Firm
  • ISO Certificate
  • Privacy Policy
  • Data handling for clients
  • Imprint

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • xing
  • Email

Newsletter Signup

© Patent- & Rechtsanwaltskanzlei Meyer-Dulheuer MD Legal Patentanwälte PartG mbB

Contact Form

 

Give us a call, send us an email or fill out the contact form.

+49 (0) 69 / 606 278 – 0
[email protected]

Kontaktformular

 

Rufen Sie uns an, schicken Sie uns eine Mail oder füllen Sie das Kontaktformular aus.

+49 (0) 69 / 606 278 – 0
[email protected]