{"id":48,"date":"2019-12-11T00:00:00","date_gmt":"2019-12-11T00:00:00","guid":{"rendered":"https:\/\/lawblog.uclancyprus.ac.cy\/index.php\/2019\/12\/11\/data-protection\/"},"modified":"2019-12-11T00:00:00","modified_gmt":"2019-12-11T00:00:00","slug":"data-protection","status":"publish","type":"post","link":"https:\/\/lawblog.uclancyprus.ac.cy\/data-protection\/","title":{"rendered":"Data Protection"},"content":{"rendered":"

UCLAN Cyprus School of Law will hold a Data Protection Roundtable on <\/em><\/strong>15th January 2020 <\/em><\/strong>to discuss the Schrems II opinion and other legal developments in data protection in 2019.  The event is approved for CPD credit by the Cyprus Bar Association.  More information and the registration form are available at <\/em><\/strong>https:\/\/www.uclancyprus.ac.cy\/law-academy-category\/cpd-series-on-law-and-technology\/<\/em><\/strong><\/a>. <\/em><\/strong><\/p>

Key Opinion on International Data Transfers Coming Next Week<\/strong><\/p>

By Amy Grant, Senior Visiting Fellow, UCLAN Cyprus School of Law<\/p>

The preliminary, non-binding opinion in a closely watched data protection case will be released by the Advocate General of the Court of Justice of the European Union (CJEU) on Thursday, 19th<\/sup> December.  The \u201cSchrems II\u201d case (case C-311\/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) is a sequel to the first Schrems case (case C-362\/14, Schrems v Data Protection Commissioner) that resulted in the invalidation of the EU-US Safe Harbour Framework in 2015.  A final decision by the CJEU in the Schrems II case is expected in early 2020.<\/p>

Both cases concern how Data Protection Authorities should assess the protection of personal data that Facebook transfers from the European Union to the United States for storage and processing, in the context of national security surveillance activities by U.S. agencies that were revealed by Edward Snowden in 2013.<\/p>

In the Schrems II case, the Irish High Court referred eleven questions to the CJEU for a preliminary ruling.  These questions ask for clarification regarding how to determine the adequacy of data protection safeguards when personal data is transferred to a third country outside the European Union, and the extent to which such data can be further processed in the receiving country for national security and law enforcement purposes.  <\/p>

The two most common safeguards that companies use when transferring data from the European Union to the United States are Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Shield (Privacy Shield).<\/p>

SCCs were defined as a data protection safeguard under the European Union Data Protection Directive in 1995.  The Directive\u2019s 2016 successor, the General Data Protection Regulation, also included SCCs as one of the available mechanisms for international data transfers.  The SCCs currently in use worldwide have not been updated since 2010.<\/p>

The Privacy Shield was adopted in 2016 after its predecessor, the EU-U.S. Safe Harbour Framework, was invalidated by the CJEU in the first Schrems case.  Under the Privacy Shield, U.S. companies that implement data protection measures meeting specific requirements can self-certify compliance, which allows the transfer of personal data from the European Union to such companies without the use of SCCs.<\/p>

Several outcomes from the Schrems II case are possible with respect to the use of SCCs:<\/p>