The man who took on Facebook… and changed the face of data protection rules
18 Mar 2021
Author: Francisco Matos
“Schrems II” was one of the main data protection rulings of 2020 and the European Union’s Court of Justice (CJEU) decision on this case has caused a tidal wave across borders.
The case saw Mr Schrems file a complaint against Facebook Ireland Ltd. He argued that his personal data was being transferred to the US company Facebook Inc., not only without his consent but also to a jurisdiction with broad surveillance laws which conflict with EU privacy laws.
After 7 years of legal battle, in 2020, the CJEU ruled in favor of Mr Schrems. This judgement caused a significant shift in the data protection field, because it invalidated one of the fundamental frameworks put in place for the transatlantic transfer of personal data, the Privacy Shield.
The Privacy Shield is designed to enable the transfer of personal data between the EU and the USA, and the USA and Switzerland. It’s built so that it complies with data protections requirements for commerce between these regions. The Schrems case invalidated the Privacy Shield, which means it can no longer be relied upon as a method for legitimizing personal data transfers from the EU to the US.
What does this mean?
With the Privacy Shield invalidated, countries are now looking at ways to continue international data transfer with a safer and more robust framework.
The EU and the US are adjusting their legislation and framework:
- the European Data Protection Board (an independent European body whose purpose is to ensure consistent application of the General Data Protection Regulation) is poised to issue its guidance on international data transfers
- the EU Commission is set to release new standard contractual clauses related to data transfer
- the new Biden administration appointed a deputy assistant secretary who will focus on negotiations of the replacement to the EU-U.S. Privacy Shield
What about for Micro Focus?
With the ‘Schrems II’ ruling, changes to the current rules around international data transfers outside of the EU will be necessary. Companies will have to put more safeguards in place and ensure that the recipient country has equivalent data protection to that of the EU, to be able to continue transferring personal data.
This means putting more guidelines in place for transferring personal data from the EU to other Micro Focus entities, customers, suppliers and all other thirds parties. Non-compliance with international data transfer rules means the company could be liable to pay GDPR fines as high as 20 million EUR or 4% of the company’s turnover for the preceding financial year (whichever is higher).
As we witness more data protection regulations coming into effect across the globe, I believe international data transfers will continue to be a hot topic in 2021.