EU Updates on Schrems II and the Privacy Shield

The current challenge to Facebook’s privacy practices in Ireland (“Schrems II”) may be coming to a head. You will recall that in Schrems I, the challenge to Facebook’s privacy practices led to a decision issued by the European Court of Justice that invalidated the US-EU Safe Harbor. Following the invalidation of the Safe Harbor, Facebook switched to the Commission’s Standard Contractual Clauses (SCC) and the Schrems complaint was reformulated to challenge the SCC. The idea is that the same criticisms that could be made against Safe Harbor (essentially no protection against mass surveillance by US authorities) also apply to the SCC. News reports suggest the Irish High Court is expected to issue its decision as soon as tomorrow, October 3.

There are currently two actions pending before the European General Court (the European first instance court) which were initiated by several NGOs, an Irish organization called Digital Rights Ireland and three French organizations, La Quadrature du Net, French Data Network and la Fédération des fournisseurs d’accès internet associatifs to challenge the current US-EU Privacy Shield. There is an issue about whether these complaints are admissible. In July the EGC decided in the case initiated by the French that the admissibility issue and the merits will be examined at the same time. It will be many months before a decision is issued.

But in the meantime, the Commission is supposed to conduct an annual evaluation of how the Privacy Shield is actually working.‎ Discussions took place two weeks ago in Washington DC between the Commission and US authorities, as reflected in the joint press release issued by Commissioner Jourova and the US Secretary of Commerce Ross. In theory, the Commission could suspend its decision if it concluded that the Privacy Shield is not enforced in an adequate way but they may not be too critical of the Privacy Shield, which is, after all, the product of their own.