Schrems II. The EU adequacy regime in existential crisis?
| Date | 01 October 2019 |
| Published date | 01 October 2019 |
| Author | Jan Xavier Dhont |
| DOI | 10.1177/1023263X19873618 |
| Subject Matter | Editorial |
Editorial
Schrems II. The EU adequacy
regime in existential crisis?
Jan Xavier Dhont*
On July 9, 2019, the European Court of Justice (‘ECJ’) heard the arguments of the parties in the
Schrems II case. The case concerns a complaint of the Austrian privacy activist, Max Schrems,
before the Irish Data Protection Commission (‘DPC’) against Facebook’s use of the EU Commis-
sion approved Model Clauses (‘Model Clauses’). The DPC submitted the case to the Irish High
Court, which heard it in 2017 and in turn referred the case to the ECJ. The Irish High Court
presented the ECJ with eleven preliminary questions which, in essence, revolve around the validity
of the Model Clauses and the Privacy Shield in a context where foreign state agencies, such as the
National Security Agency (‘NSA’) in the United States may have broad access rights to imported
personal data.
Given its market-disruptive potential, this is arguably one of the most important cases in years.
The ECJ may set conditions that make it more difficult to rely on mechanisms to transfer personal
data internationally, such as, particularly, the Model Clauses and the Privacy Shield. Even further,
it cannot be excluded that the ECJ may invalidate one or both of these transfer mechanisms. This
would leave businesses trading between the European Union and non-adequate third countries with
very limited options to export personal data, mainly Binding Corporate Rules (‘BCR’), and
derogations. BCRs are mostly fit for large, privacy-mature, multinational companies. Derogations,
such as individuals’ consent or the need to transfer personal data for the performance of a contract,
1
are not designed for structural and ongoing data transfers and do not contribute to the protection of
personal data post-transfer.
If none of the above works, the only remaining alternative is ‘de fa cto’ data localization:
companies may decide to physically store personal data in the EU and require host service
* Wilson Sonsini Goodrich and Rosati, Brussels, Belgium
Corresponding author:
Jan Xavier Dhont, Wilson Sonsini Goodrich and Rosati, Montoyerstraat 47, Brussels 1000, Belgium.
E-mail: jdhont@wsgr.com
1. Article 49 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC, [2016] OJ L 119 (‘GDPR’).
Maastricht Journal of European and
Comparative Law
2019, Vol. 26(5) 597–601
ªThe Author(s) 2019
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/1023263X19873618
maastrichtjournal.sagepub.com
MJ
MJ
To continue reading
Request your trial