DPC has no clear time line on enforcing CJEU judgement

Data Transfers
 /  28 July 2020
Letter to DPC

Following the CJEU's judgment on EU-US data transfers by Facebook, we requested that the Irish DPC take action. The DPC's first response indicates that it is unwilling to commit to a clear time frame to reach a decision, despite it having been seven years and five court rulings since our original complaint was filed.

In 2015 following the CJEU's judgment on the "Safe Harbor" agreement, the DPC gave an undertaking before the Irish High Court to swiftly reach a decision on our complaint. Instead, however, they filed a lawsuit against Facebook and Mr Schrems that led to another reference before the CJEU. The Court ultimately upheld the position of Mr Schrems, also invalidating the Privacy Shield decision. The Court also highlighted once more that it was within the DPC's power to stop data transfers to the US through striking at the "Standard Contractual Clauses" that Facebook relied on. Furthermore, it was found that the DPC even has a duty to take such action.

Now, Mr Schrems has requested a clear outline of the steps that the DPC will take to implement the CJEU's judgment, as there are no clear steps under Irish procedural law. In its first response on the matter, the DPC refused to outline such steps. We have therefore made clear and specific requests that should be complied with by the 31 July 2020 and are committing to make any submissions in response to remaining legal bases that Facebook may rely on within 14 days. A final decision should then be possible by 1 October 2020.

Max Schrems: "noyb and I will now take every necessary step to ensure that controllers and DPAs will implement the clear decision by the CJEU. Making sure that the Irish DPC finally takes a decision after seven years and five rulings by the Irish and European Courts is only one of our options. We are also looking at other options, as it would be unacceptable if the EU's Supreme Court were to be ignored a second time round."