Skip to main content
Insight

Background on CJEU "Schrems II" Case

The Court of Justice of the European Union ("CJEU") will issue its judgment tomorrow in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/1) (also commonly known as "Schrems II").  The judgment is set to represent a further significant milestone in the tortured recent history of EU-US transfers of personal data.

Therefore, as a potentially useful aide-mémoire, see as follows for a timeline of the key events (with links to relevant documents provided for any ardent individuals wishing to squeeze in some last-minute reading!) leading up to tomorrow's judgment –
 
 Date  Event
 June 2013  Snowden disclosures regarding PRISM
 June 2013  Schrems complaint to Irish DPC re Safe Harbor in view of Snowden  disclosures
 June 2014  Irish High Court refers the Schrems case to CJEU
 October 2015  CJEU invalidates Safe Harbor
 October–December  2015  Schrems complaint to Irish DPC re EU Standard Contractual Clauses
 July 2016  Adoption of EU-US Privacy Shield
 October 2017  Irish High Court refers Schrems complaint to the CJEU
 May 2018  Entry into force of the GDPR
 July 2019  Schrems II hearing in the CJEU
 December 2019  CJEU AG Opinion in Schrems II
 16 July 2020  CJEU judgment in Schrems II

As demonstrated by the timeline, Schrems II has been years in the making and is a fascinating case.  Indeed, it raises involved questions about the importance of personal data to organisations / economies in the 21st century, the role of the EU as an architect and arbiter of international data protection rules and, of course, at the case's core – a potentially intractable conflict between US surveillance law and EU fundamental rights.

However, of potentially greater immediate concern to privacy practitioners is that the judgment may well trigger changes to their companies' day-to-day compliance activities.  This is because, among eleven detailed questions, the CJEU is assessing the validity of the long-established and much used EU Standard Contractual Clauses as well as potentially the EU-US Privacy Shield Framework.  The judgment may also have consequences for EU-UK data flows post-Brexit.

With that in mind, please do join a Fieldfisher webinar on Friday 17 July or Monday 20 July in which Renzo Marchini, Eleonor Duhs and myself explain the key commercial and practical implications for businesses arising from the judgement. To register, please click here.

Sign up to our email digest

Click to subscribe or manage your email preferences.

SUBSCRIBE