Schrems II and its implications for data export from the EU

Overnight, the Court of Justice of the European Union (CJEU) released its judgment in Facebook Ireland v Schrems (C-311/18). The case, the judgment of which will have significant implications for exporting data from the EU, was concerned with the legality of the transfer of an EU citizen’s personal data by Facebook Ireland to its United States’ parent company.

While the Standard Contractual Clauses (SCCs) were found to be a valid means of transferring personal data cross-border, the validity of those clauses in each instance depends on a separate assessment of the robustness of the local environment (in this case, this should have included a consideration of surveillance activities carried out by United States public authorities). An EU data exporter cannot simply rely on the Privacy Shield without carrying out such an assessment.

While further consideration will need to be given to the implications of the Schrems II decision, it is likely that there will at least be heightened examination of the relevant local laws (including Australian law) to ensure at least equivalent protection to that offered by the General Data Protection Regulation. Data exporters are also likely to require additional contractual protection, including obligations to notify the data exporter of any inability to comply with the SCCs, and broader termination or suspension rights for the data exporters.

For further information on any of the issues raised in this alert, please contact the Digital and Intellectual Property team at McCullough Robertson.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.