European Court of Justice (ECJ)

The European Court of Justice’s ruling in Schrems II, invalidating the EU-U.S. Privacy Shield framework as a means of transmitting personal data from the EU to the U.S., has drawn swift reaction from data protection authorities and other entities across Europe. Here are a few of the responses:

Vera Jourova, Vice President, European Commission

“I know citizens and businesses are seeking reassurance today on both sides of the Atlantic. So let me be clear: we will continue our work to ensure the continuity of safe data flows.

We will do this:

  • in line with today’s judgment
  • in full respect of EU law
  • and in line with the fundamental rights of citizens.”

” The Commission has already been working intensively to ensure that the toolbox [for cross border transfer tools] is fit for purpose, including the modernization of the Standard Contractual Clauses … We will now swiftly finalize it. Today’s ruling provides further valuable guidance for us and we will make sure that the updated tool will be fully in line with it.”Continue Reading Governments, Data Protection Authorities React to EU-US Privacy Shield Ruling

Standard Contractual Clauses live to fight another day.

“(There) is an obligation — placed on the controllers … and, where the latter fail to act, on the supervisory authorities …
Continue Reading EU Advocate General Releases Opinion on ‘Schrems II’ Case Involving Standard Contractual Clauses

A Facebook “like” is actually more like “in a [Joint Controller] relationship” status, says the Court of Justice of the EU in a long awaited decision in the Fashion ID matter.

At issue: The legal framework surrounding embedding a Facebook “Like” button on your website.

When a user visits a website on which a Facebook “Like” button is installed, their personal data is transmitted to Facebook Ireland.

This includes:

  • the IP address of the visitor’s computer
  • technical data of the browser (so that the server can determine the format in which the content is delivered to this address)
  • information about the desired content.

The operator of the website is not able to determine the data that the browser transmits or what Facebook does with this data, especially if it decides to store and use it.

The transfer of information happens:

  • whether or not the individual is a member of the social network Facebook
  • whether or not the person has clicked on the “Like” button
  • in many cases, without the individual being aware that the information is being collected or transmitted to Facebook

Key takeaways:

A website operator and Facebook can be joint controllers for the data collected via the website on which the button is installed

The operator of a website that features a Facebook “Like” button can be a controller jointly with Facebook in respect to the collection and transmission to Facebook of the personal data of visitors to its website. However, the responsibility is limited to the operation or the set of personal data processing operations for which it actually determines the purposes and means, namely the collection and communication, by transmission, of the data in question.Continue Reading EU Court of Justice Issues Long-Awaited Decision on Facebook Likes in Fashion ID Matter

EU and U.S. officials finally unveiled the full text of the proposed EU-U.S. Privacy Shield framework earlier this week. The agreement is the culmination of a five-month negotiation to address
Continue Reading The EU-U.S. Privacy Shield Agreement Is Unveiled, But Its Effects and Future Remain Uncertain