As a general principle under the Danish Data Protection Act (and the underlying Data Protection Directive), data may be transferred to a third country only if this country ensures an adequate level of protection. The new General Data Protection Regulation contains similar provisions. But now the question of what exactly is an adequate level of protection has been raised once again.
The case is based on the complaint filed by Austrian Facebook user Maximilian Schrems about the Safe Harbor agreement. Schrems felt that the agreement did not ensure an adequate level of protection for the personal data transferred by Facebook in Ireland to Facebook in the US. The case resulted in the Safe Harbor agreement being ruled invalid by the ECJ in 2015.
After this ruling, Facebook had to find another legal basis for its data transfers – and the choice fell on the EU standard contractual clauses, which are generally widely used as a transfer basis. However, Schrems has also complained about this transfer basis to the Irish data protection authority, arguing that this legal basis, too, does not ensure an adequate level of protection.
The Irish data protection authority has therefore brought the matter before the Irish High Court with a view to obtaining a ruling from the ECJ on the validity of the EU standard contractual clauses. As the EU standard contractual clauses were established by decision of the European Commission, it is the ECJ alone which can declare it invalid.
The case is currently being argued before the Irish High Court.
Norrbom Vinding will follow the case and report on any developments.