MBF Knowledge Base
MBF · MBF Knowledge Base Home · EU General Data Protection Regulation CJEU Cases

EU General Data Protection Regulation CJEU Cases

All information here was borrowed from the GDPR website https://eugdpr.org

There have been two recent cases brought before the Court of Justice of the European Union (CJEU) dealing with data privacy in the run-up to the GDPR. The case of Weltimmo affects the realm of one-stop-shop regulation within the EU, and the case ruling Safe Harbour invalid affects the realm of EU-US data transfers.

Weltimmo Case

An already controversial topic, the idea of a one-stop-shop for data privacy regulation first arose out of the previous directive, intending to cut some of the red tape for businesses. However, the Weltimmo case on 1 October 2015 resulted in the ruling that companies must comply with local data privacy laws if they have “establishments” in member states outside that which holds their European headquarters. Although the GDPR was already attempting to fix this imperfect system before the CJEU ruling, there are still many issues to be worked out. Chief among these is the split between the DPAs of businesses and individuals. Regulators wish to make life easier for businesses by allowing them to only register and deal with one national DPA, yet they also want individuals to be able to go to their own respective DPA, whichmay very well be different from the businesses.

Collapse of Safe-Harbour Agreement

Only 5 days after the Weltimmo ruling, the CJEU came down with another ruling affecting data privacy, this time declaring the Safe Harbour scheme for EU-US data transfers to be invalid. While it was not the only way to transfer data to the US from the EU, around 4,500 companies relied on this framework as their main legal basis for transfers. The case was originally brought about by Austrian student Max Schrems, following the NSA revelations by Edward Snowden. It was ruled that the US public authorities were not only outside of the scope of Safe Harbour, but also have conflicting laws that prevail over the scheme in certain circumstances. It is yet to be seen if the extended scope of the GDPR (affecting all of the businesses processing EU personal data) will entirely replace the Safe Harbour scheme. There is also hope for a so called Safe Harbour 2.0 to relieve the pressure on businesses to find other legal forms of data transfer, which would likely be in effect well before the GDPR.