We’re over a year into the GDPR era, and uncertainty persists on (among other things) mechanisms for the lawful transfer of personal data to non-EU countries whose data protection standards have not been certified as adequate. The US is of course the most notable country on that list – and Max Schrems is the most energetic opponent of transatlantic data transfers.
The current challenge in which he is involved is Case C-311/18, Facebook Ireland & Schrems (or ‘Schrems 2’). In a nutshell, the Irish DPC is challenging the European Commission’s standard contractual clauses, with a particular focus on the controller-processor clauses approved in 2010. The questions referred to the CJEU are here. The case is not directly about transfers to the US – after all, standard contractual clauses are supposed to cover transfers everywhere. But stateside data protection (or lack thereof) looms large, particularly given the Privacy Shield challenge also afoot before the CJEU.
The oral hearing in Schrems 2 took place on this week, and the AG opinion will be given on 12 December. If the CJEU kills off the current standard contractual clauses, there will be a major gap in transfer arrangements that needs urgent plugging.
Speaking of urgent plugging, here’s one for the bloke who did the oral hearing this week, representing the UK government: he is none other than Panopticon kingpin, Chris Knight.