The outcome of two important court rulings from Europe this week will be closely watched in Ireland.
Much of the focus will be on Wednesday’s ruling by the General Court of the EU on an appeal by Ireland and Apple against the European Commission’s decision that the tech giant should pay €13 billion in back taxes to Ireland.
But on Thursday, Europe’s highest court, the European Court of Justice, is due to hand down judgment on the Schrems II case on whether the European Commission’s standard contractual clauses (SCCs) and the EU- US Privacy Shield regime are valid for transfers of personal data outside of Europe.
The case was initiated by Ireland’s Data Protection Commissioner to query the validity of SCCs.
John Magee, partner and head of data protection, privacy and security at legal firm DLA Piper Ireland, described it as one of the most highly anticipated judgments of the year.
SCCs and Privacy Shield are widely used by organisations to legitimise transfers of personal data from the EU to third countries, such as the US.
Without them it would be difficult to lawfully export personal data from the EU or the UK. Magee points out that this would pose a significant risk to many businesses which rely on the free movement of personal data.
“The European Commission recently announced that it is preparing for the eventuality of at least one of these mechanisms being invalidated, namely Privacy Shield,” says the DLA Piper lawyer.
In 2015, the ECJ invalidated the EU-US Safe Harbor framework which was the predecessor to Privacy Shield. “If the court invalidated the standard contractual clauses or Privacy Shield, there would be a big impact on data transfers, many of which would become unlawful overnight,” says Magee.
“Unfortunately, there is currently no practical alternative in place that can be easily used to legitimise these transfers on a systematic and regular basis," he adds.
The original Schrems I case was brought to the ECJ by Max Schrems, an Austrian privacy activist, who complained about Facebook’s transfer of data to the US under the Safe Harbor framework.
Following the invalidation of Safe Harbor by the CJEU, the Schrems II case was initiated by Ireland’s Data Protection Commissioner to query the validity of SCCs.