The effects of the seminal Court of Justice of the EU (CJEU) decision in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”) will be felt for some time. In this case the CJEU affirmed the validity of the standard contractual clauses (SCCs) for data transfers under Commission Decision 2010/87/EU (later amended by Commission Decision 2016/2297), but invalidated Commission Decision 2016/1250 which formed the legal basis for the EU-US Privacy Shield.
The decision builds on the Court’s 2015 ruling in Maximillian Schrems v. Data Protection Commissioner (Case C-362/14, “Schrems I”), in which the Commission adequacy decision underlying the EU-US Safe Harbour arrangement, the predecessor to the Privacy Shield, was invalidated. The case will have a major impact on the validity of international data transfers going forward with the implications of the Court’s ruling extending far beyond its impact on the use of SCCs and the Privacy Shield in particular. More specifically, the judgement clarifies that those exporting personal data are expected to examine the circumstances surrounding each transfer and to assess whether the protections provided in the third country are essentially equivalent to those provided for in the EU in the absence of an adequacy agreement.
As there is no such adequacy agreement between the EU and Australia the ruling is of significant importance. Indeed, in its Digital Platforms Inquiry – Final Report, the Australian Competition and Consumer Commission (ACCC) recommended wide scale reform of the Privacy Act and the Australian Consumer Law in response to the significant challenges to consumer privacy brought about by our use and reliance on technology in order to bring the protections in line with international standards. However, it remains unclear whether even a wholesale adoption of ACCC’s recommendations would bring the protections in line with the GDPR. These equivalence concerns are multiplied when one considers that in the Schrems II case the CJEU was particularly concerned with law enforcement access to data and hence, individual redress against national security and intelligence services. Given Australia’s membership of the Five Eyes intelligence alliance and the extensive powers afforded to law enforcement agencies, the legitimacy of exporting personal data from the EU to Australia is in doubt. The purpose of this event therefore is to explore the implications of the Schrems II ruling for Australia.