The European Law Blog will be taking a summer recess. We’ll be back end of August with new commentaries, including on key summer developments. Please do send us on your contributions throughout this period and we will get back to you in due course. Happy Holidays to all our readers!
On 16 July 2020 the Court of Justice of the European Union (CJEU) composed as Grand Chamber delivered its landmark ruling Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (case C-311/18, “Schrems II”). For the background and a discussion of the implications of the ruling for commercial transfers of personal data see the commentaries by Christopher Kuner and Theodore Christakis. The focus of my commentary will be on the aspect that EU law on cross-border transfers of personal data to a third country is not deferential to national security powers of that third country. This judgment is remarkable provided that electronic surveillance conducted by Member States’ intelligence authorities for the purpose of national security is off limits for EU law and that exceptions in international agreement are fairly regularly made for national security. This contribution will deal with the embedded assessment of a third country’s national security powers under the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and will address the criticism that a third country is held to stricter standards than a Member State of the Union.
Schrems II is a continuation of the CJEU’s 2015 judgment in Maximillian Schrems v. Data Protection Commissioner (Case C-362/14, “Schrems I”), which invalidated the Commission’s Decision approving the EU-US Safe Harbour agreement (Decision 2000/520). The ruling notes that the Safe Harbour Decision carries a provision that “national security, public interest, or law enforcement requirements” have primacy over the Safe Harbour principles (para. 86). However, any interference with the rights to privacy and the protection of personal data as guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights in the European Union (Charter) must be limited to what is strictly necessary and the right to effective judicial protection must be observed (paras. 92-95).