Following the landmark decision during the summer which rendered the Privacy Shield invalid, our team takes a look at recent developments in connection with the ongoing Schrems saga.
Schrems Judicial Review
Max Schrems, who raised the complaint against Facebook which resulted in two rulings by the CJEU striking down both Safe Harbour (Schrems I) and Privacy Shield (Schrems II), has applied for and been granted permission to raise a judicial review against the Data Protection Commission (DPC) in Ireland.
According to Schrems, this latest filing is on the basis that the DPC has not made a decision on his original 2013 complaint, where he maintained that Facebook was illegally transferring his personal data to the US. In addition, he alleges that the DPC has been aware of Facebook using alternative data transfer mechanisms to transfer EU users’ data to the U.S. since 2016 and has not shared this information during the recent litigation.
Permission to judicially review was sought ex parte, (without the DPC present), as is common in judicial review cases. As such the DPC has not yet presented its position in respect of the complaint. Now that permission has been granted, the next step is for the DPC to be served with a summons identifying the remedies sought. The court will then assign a hearing date. Although COVID-19 has generally had a delaying impact on court procedures in Ireland, the superior courts are working on an almost back to normal basis. It is likely the case will be listed for a remote hearing in the next 3 months.
Facebook Judicial Review
This is not the first judicial review in respect of these issues: last month, Facebook applied to judicially review a preliminary order sent by the DPC following the CJEU’s judgment, which allegedly ordered that Facebook suspend its data transfers to the US. The application for judicial review was similarly made ex parte of the DPC. Permission was granted and the preliminary order has been stayed, which allows Facebook to continue its transfers to the US. This case has been provisionally listed for a hearing for 3 to 4 days, beginning on Tuesday 15 December.
Schrems II Costs Battle
Finally, there is an on-going costs battle around the Schrems II case. The DPC’s position is that it is entitled to recover its costs from Facebook on the basis that Facebook unsuccessfully opposed the making of the reference, both in the High Court and, on appeal, in the Supreme Court. It also argues that Facebook (not the DPC) should pay Schrems’ costs.
Against this backdrop, the DPC sought and received a significant increase in funding (to €19.1m) from the Irish Government in its 2021 budget. The DPC has stated that it foresees an expansion to its resources, key strategic projects such as the implementation of a new case management system, being progressed and greater intervention on areas of ‘systemic risk’, such as finalising various ongoing statutory inquiries.
While many companies and stakeholders around the world will watch the developments in Ireland closely, much work remains to be done in the meantime, Irrespective of the various procedural developments, organisations transferring personal data outside of the EEA should be considering the impact of Schrems II. DLA Piper’s global Privacy, Data Protection & Security team has launched its Data Transfer Methodology, with which we are assisting clients to risk assessing their transfers, and implementing supplemental measures where required Please contact a member of our data protection team for more information on how we can assist you.