Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Schrems v. Irish Data Protection Commissioner: some further thoughts

By Simon Elliott
September 25, 2015
  • Europe
  • New and Proposed Laws
  • United Kingdom
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

As the dust begins to settle after the headline-grabbing Advocate General opinion in the Schrems v. Irish Data Protection Commissioner it may be worth considering some of the other potential implications arising from that opinion.

Of course, the AG opinion is not the final word on this matter. That will rest with the judgement of the Court of Justice of the European Union (CJEU). And the CJEU is not bound to follow this opinion. So there may well be life left in Safe Harbor (or Safe Harbor 2.0) yet. But if the CJEU follows suit, what else could this mean?

  • The Irish Data Protection Commissioner had initially refused Mr Schrems’ complaint on the grounds it was “frivolous or vexatious” as he could not evidence that his information specifically had been subject to surveillance by US law enforcement agencies.  Once the CJEU has made its decision, the complaint will be passed back to Ireland – could the same conclusion be reached as Mr Schrems has still not provided this evidence?  Given the conclusions of the Irish High Court in making its referral to the CJEU this seems unlikely – they believed the PRISM programme gives rise to a “significant issue”; but you never know.
  • If the CJEU determines, as seems likely, that the independence of local data protection supervisory authorities means they are not necessarily bound to follow decisions of the European Commission, what other alternative approaches could local authorities adopt?  Could we see some local authorities determining that other data flows do not provide an adequate level of protection for European personal data?  Or perhaps the Article 29 Working Party will need to take more of a lead?
  • AG Bot’s critique of Safe Harbor is certainly detailed.  In essence, AG Bot identifies two fundamental flaws with Safe Harbor:
    • the rights granted to US law enforcement agencies to access personal information held by technology providers in the US are too broad – and, as a result, the restriction of the Safe Harbor principles in such circumstances disproportionate; and
    • the lack of an independent authority in the US with a sufficiently broad remit to monitor and enforce compliance with the requirements for protection and security of personal data – the Federal Trade Commission’s responsibility is limited to commercial practices but does not oversee the activities of US law enforcement agencies.
  • Clearly the “Snowdon revelations” have brought concerns regarding Safe Harbor to the forefront, but these two “flaws” are products of the structure of Safe Harbor.  Will the CJEU really follow suit in reaching a view that Safe Harbor has been “invalid” for the past 15 years?  And does the same risks actually apply to model clauses or other data transfer solutions?
  • The lack of an independent US data protection authority is significant in its own right; will this Opinion put pressure on the EU Commission to require such a body as part of the renegotiation of “Safe Harbor 2.0”?  Will it put pressure on the US to press ahead with “rights for EU citizens”; other subject currently under discussion.  What is clear, is that these negotiations have just received a renewed sense of urgency.

Some food for thought while we await the CJEU decision.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Simon Elliott

About Simon Elliott

Simon focuses on advising multinational corporates on a wide range of data protection and technology law issues.

All posts Full bio

RELATED POSTS

  • Europe
  • New and Proposed Laws

Are we nearly there yet?

By Nick Graham
  • Canada
  • Consumer Protection
  • Enforcement
  • Marketing, Cookies & Spam
  • United States

CRTC enters into MOU with FTC on spam and unlawful telemarketing

By Margot Patterson
  • Europe
  • Privacy Rights

Processing of riders’ personal data ̶ The Italian Data Protection Authority sanctions a food delivery company

By Privacy and Cybersecurity Group

About Dentons

Across over 80 countries, Dentons helps you grow, protect, operate and finance your organization by providing uniquely global and deeply local legal solutions. Polycentric, purpose-driven and committed to inclusion, diversity, equity and sustainability, we focus on what matters most to you. www.dentons.com

Grow, Protect, Operate, Finance. Dentons, the law firm of the future is here. Copyright 2023 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. Please see dentons.com for Legal notices.

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo in black and white

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site