This week saw the Irish courts rule in another data protection/privacy ruling brought by Max Schrems. This time is was 'model clauses' that were the target, following past cases that dismantled the Safe Harbour scheme.
The ruling also took aim at some of the features of the Privacy Shield arrangement, which was brought in to replace the Safe Harbour scheme - therefore, this case is not going to be the final chapter of the story.
For companies, it presents continuing uncertainty over how to handle data transfers to the US from Europe and with GDPR around the corner, with its increased demands and punishments, there is much on the "to do" list for companies with trans-Atlantic presence.
The first step in considering how to approach this, beyond the obvious legal advice, is for companies to fully understand how and where they process data - as without this, the full impact of this judgement and GDPR cannot be certain. It is not something that should be taken lightly!
A decision Tuesday by Ireland's High Court in the case brought by Austrian privacy activist Max Schrems has cast new uncertainty on the legal tool that Facebook and thousands of other U.S. companies use to transfer personal data from their operations in the European Union. Irish High Court Justice Caroline Costello in a highly anticipated ruling said the Irish Data Protection Commissioner had raised "well-founded concerns" about whether U.S. surveillance practices deny EU citizens fundamental rights once their data is transferred to the U.S. Costello's decision tees up yet another case at the Court of Justice for the European Union (CJEU) in Luxembourg—the EU's highest court—to determine the validity of "Standard Contractual Clauses," a key legal tool companies use to transfer EU citizens' personal data outside the bloc. A final decision is likely still years away.
