Schrems-II: Further Analysis of the Core Elements of the Verdict

Schrems-II: Further Analysis of the Core Elements of the Verdict


Following the first analysis of the Schrems-II verdict from the Court of Justice of the European Union, delivered on 16 July 2020, it is time to take a closer look at some of the core issues discussed by the Court. 


The EU law carve-out for national security legislation


The Schrems cases both have their origin in the revelations Edward Snowden made in 2013 on the existence of large-scale government surveillance programs in the United States, including PRISM and UPSTREAM. Under these programs, the U.S. intelligence and security services can collect personal data from outside the United States, and use it at their own discretion in order to protect the interests of the state. And although most countries around the world have intelligence and security services that collect and analyse large volumes of data, the scale with which this seems to happen in the United States for many came as a surprise. 


In the European Union (EU) however, national security, and thus any activity by intelligence and security services, falls outside the competence of the Union. According to Article 4 of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Thanks to this provision, we have the somewhat cynical situation that it doesn’t matter what the intelligence and security services of the EU Member States, but that it could be relevant what those in foreign countries do, at least from a data protection perspective. That is also the first question that was raised before the CJEU: why, if the EU is not competent to discuss national security, would foreign national security activity have an impact on data transfers under the GDPR. 


According to the Court, the answer is relatively straightforward: the transfer from the EU to a thir ..

Support the originator by clicking the read the rest link below.