The Data Protection Commission has strongly welcomed a judgment by the European Court of Justice which ruled that Privacy Shield, the EU-US data protection agreement, is invalid.

In its first reaction to the judgement, the Data Protection Commission said in terms of the points of principle in play, the court has endorsed its position, it has also ruled that Standard Contractual Clauses (SCCs) used to transfer data to countries worldwide are valid.

But it said it is clear that, in practice, the application of the SCCs to transfers of personal data to the United States is now "questionable".

"This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis," it said.

The DPC said it began the proceedings in 2016 precisely because it was concerned that the CJEU's Safe Harbour judgment of 2015 indicated that EU-US data transfers were inherently problematic, for reasons associated with the structure of the legal system in operation in the US.

"Moreover, this was so, whatever the legal mechanism by which such transfers were conducted," it said.

It said the judgment today firmly endorses the substance of its concerns that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States.

"In that regard, while the judgment most obviously captures Facebook's transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally," it said.

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

It said the court also agreed with its view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.


What the ECJ's Facebook data ruling means for your data
The Facebook data privacy case - all you need to know


The privacy campaigner Max Schrems has claimed that as a result of today's European Court of Justice ruling, Facebook and similar companies cannot rely on so-called Standard Contractual Clauses (SCCs) to transfer data to the United States.

Mr Schrems says Ireland's Data Protection Commissioner "must stop transfers under this instrument."

This contradicts a number of statements from Facebook and other organisations who have interpreted the judgement as continuing to facilitate the use of SCCs to transfer data to third countries, such as the US.

Writing on the website of his campaign group NYOB, Mr Schrems said: "I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC [Data Protection Commissioner] and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market."

He said that the US limited most protections to "US persons" but did not protect the data of foreign customers of companies from the US National Security Agency. 

Mr Schrems added that EU data protection commissioners had an obligation to take action if the recipients of SCCs were unable to show that European privacy norms were in conflict with those of the country to which the data was being exported.

"The Court is not only telling the Irish DPC to do its job after seven years of inaction, but also telling all European DPAs that they have a duty to take action and cannot just look the other way. 

"This is a fundamental shift going far beyond EU-US data transfers. Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The Court has clearly told the DPAs to get going and enforce the law," he wrote.

He added: "The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice. In cases such as Facebook, where they don't take action, the DPC had the solution to this case in her own hands all along. She could have ordered Facebook to stop transfers years ago. 

"In our complaint, we demanded that she would issue a prohibition notice with a reasonable implementation period to allow Facebook take all necessary steps. Instead, she turned to the CJEU to invalidate the SCCs, which are valid. It's like screaming for the European fire brigade, because you don't feel like blowing out a candle yourself."

Additional reporting Tony Connelly