• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

ECJ overturns Privacy Shield: review contracts!

7. November 2022
in Data protection Law
Reading Time: 6 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • The GDPR regulates data protection for transfers to third countries with an adequate level of protection.
  • Schrems filed a lawsuit against Facebook for inadequate data protection when transferring data to the United States.
  • The European Court of Justice declared the Privacy Shield decision invalid in 2016.
  • Standard contractual clauses must guarantee a level of protection that corresponds to that of the GDPR.
  • Supervisory authorities must suspend data transfers if an adequate level of protection cannot be demonstrated.
  • The ombudsman mechanism in the Privacy Shield does not provide effective legal protection for data subjects.
  • Companies must review and potentially adapt their data protection declarations.

The General Data Protection Regulation(GDPR) stipulates that personal data may in principle only be transferred to a third country if the country in question guarantees an adequate level of protection for the data. Under the GDPR, the Commission may determine that a third country ensures an adequate level of protection by virtue of its domestic legislation or its international obligations.

Content Hide
1. The facts
2. The decision
3. The consequence
3.1. Author: Marian Härtel

In the absence of such an adequacy decision, such a transfer may only take place if the exporter of the personal data established in the Union provides for appropriate safeguards, which may result, inter alia, from standard data protection clauses developed by the Commission, and if the data subjects have enforceable rights and effective remedies. Furthermore, the GDPR specifies the conditions under which such a transfer may be made if there is neither an adequacy decision nor appropriate safeguards in place.

The facts

Mr Schrems, an Austrian national residing in Austria, has been a user of Facebook since 2008. As is the case with all other users residing in the territory of the Union, all or part of his personal data are transferred by Facebook Ireland to servers of Facebook Inc. located in the United States, where they are processed. Mr. Schrems filed a complaint with the Irish supervisory authority, essentially seeking to have these transfers prohibited. He claimed that the law and practice of the United States did not provide sufficient protection against access by the authorities to the data transferred there. His complaint was rejected, inter alia, on the grounds that the Commission had found in its Decision 2000/5205 (the so-called “Safe Harbor Decision”) that the United States ensured an adequate level of protection. In a judgment of October 6, 2015, the Court of Justice, following a request for a preliminary ruling from the Irish High Court, declared this decision invalid.

Following the Schrems I judgment and the subsequent annulment by the Irish High Court of the decision rejecting Mr. Schrems’ complaint, the Irish supervisory authority requested Mr. Schrems to reformulate his complaint in light of the Court’s invalidation of the Safe Harbour decision. In his reformulated complaint, Mr. Schrems claims that the United States did not provide sufficient protection for the data transferred there. He requests that the transfer of his personal data from the Union to the United States, now carried out by Facebook Ireland on the basis of the standard safeguards in the Annex to Decision 2010/877, be suspended or prohibited for the future. The Irish supervisory authority was of the opinion that the handling of Mr. Schrems’ complaint depended in particular on the validity of Decision 2010/87 on standard contractual clauses and therefore initiated proceedings before the High Court to request a preliminary ruling from the Court of Justice
. After this procedure was initiated, the Commission adopted Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (“Privacy Shield”).

In its reference for a preliminary ruling, the Irish High Court asks the Court of Justice about the applicability of the GDPR to transfers of personal data based on the standard safeguards in Decision 2010/87, as well as the level of protection required by that Regulation in the context of such a transfer and the obligations incumbent on supervisory authorities in that context. Furthermore, the High Court raises the issue of the validity of both Decision 2010/87 on standard contractual clauses and Privacy Shield Decision 2016/1250.

The decision

In its judgment delivered today, the Court finds that the examination of Decision 2010/87 on standard contractual clauses in the light of the Charter of Fundamental Rights of the European Union has revealed nothing capable of affecting its validity. On the other hand, it declares the Privacy Shield Decision 2016/1250 invalid. The Court states, first, that EU law, in particular the GDPR, applies to a transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if the data may be processed, at the time of their transfer or subsequently, by the authorities of the third country concerned for purposes of public security, national defense and State security. Such processing of data by the authorities of a third country cannot result in such transfer being excluded from the scope of the GDPR. With regard to the level of protection required in the context of such a transfer, the Court rules that the requirements provided for in that regard in the GDPR, which relate to appropriate safeguards, enforceable rights and effective remedies, must be interpreted as meaning that individuals whose personal data are transferred to a third country on the basis of standard data protection clauses must enjoy a level of protection equivalent in substance to that guaranteed in the Union by the GDPR in the light of the Charter. In assessing this level of protection, account must be taken both of the contractual arrangements agreed between the data exporter established in the Union and the recipient of the transfer established in the third country concerned and, as regards possible access to the transferred data by the authorities of that third country, of the relevant aspects of that country’s legal system.

As regards the obligations incumbent on supervisory authorities in the context of such a transfer, the Court finds that, in the absence of a valid Commission adequacy decision, those authorities are required, in particular, to suspend or prohibit a transfer of personal data to a third country if, in the light of the circumstances of that transfer, they consider, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the transferred data required by Union law cannot be ensured by other means, unless the data exporter established in the Union has itself suspended or terminated the transfer.

Next, the Court considers the validity of Decision 2010/87 on standard contractual clauses. He does not see them called into question already by the fact that the standard data protection clauses contained in this decision, due to their contractual nature, do not bind the authorities of the third country to which data may be transferred. Rather, it depends on whether the decision contains effective mechanisms that can ensure in practice that the level of protection required by Union law is respected and that transfers of personal data based on such clauses are suspended or prohibited if those clauses are breached or compliance with them is impossible. The Court notes that Decision 2010/87 provides for such mechanisms. In this respect, it highlights in particular that, according to this decision, the data exporter and the recipient of the transfer must verify in advance whether the required level of protection is complied with in the third country concerned and, if necessary, the recipient must notify the data exporter that it cannot comply with the standard protection clauses, whereupon the exporter must suspend the data transfer and/or withdraw from the contract with the recipient.

Finally, the Court examines the validity of Privacy Shield Decision 2016/1250 against the requirements of the GDPR in light of the Charter’s provisions vouching for respect for private and family life, the protection of personal data, and the right to effective judicial protection. In this regard, he notes that this decision, like the Safe Harbor Decision 2000/520, gives priority to the requirements of national security, public interest, and compliance with U.S. law, which allows interference with the fundamental rights of individuals whose data are transferred to the United States. It concludes that the limitations on the protection of personal data assessed by the Commission in PrivacyShield Decision 2016/1250, which result from the fact that, under United States law, the American authorities may access and use such data transferred from the Union to that third country, are not regulated in such a way as to meet requirements equivalent in substance to those existing under Union law in accordance with the principle of proportionality, since the monitoring programs based on United States law are not limited to what is strictly necessary. Based on the findings in that order, the Court points out that, with respect to certain surveillance programs, the regulations in question do not in any way indicate that there are any limitations on the authorization contained therein to carry out those programs; nor is it apparent that there are any safeguards for persons potentially covered by those programs who are not U.S. citizens. The Court added that, while these rules provide requirements to be followed by U.S. authorities in carrying out the surveillance programs in question, they do not confer on data subjects any rights that can be enforced in court against U.S. authorities.

With regard to the requirement of judicial protection, the Court finds that, contrary to the Commission’s findings therein, the ombudsman mechanism referred to in Privacy Shield Decision 2016/1250 does not provide data subjects with a judicial remedy before a body offering guarantees equivalent in substance to those required by EU law, that is to say, guarantees guaranteeing both the independence of the ombudsman provided for by that mechanism and the existence of standards empowering the ombudsman to take binding decisions vis-à-vis the US intelligence services. i.e., guarantees that ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of standards authorizing the Ombudsperson to issue binding decisions vis-à-vis U.S. intelligence agencies. For all these reasons, the Court declares Decision 2016/1250 invalid.

The consequence

At the very least, the company’s own data protection declarations will probably have to be reviewed to see whether they need to be adapted. I will write a more detailed article on when this is the case and how to react!

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: EntscheidungenFacebookGeneral Data Protection RegulationKIPersonal dataPrivacyRegulationServerSicherheitStandard contractual clausesVerträge

Weitere spannende Blogposts

Employees of the BRD-GmbH must also pay broadcasting fees

Employees of the BRD-GmbH must also pay broadcasting fees
7. November 2022

Sometimes there are judgments that are just fun to read! A citizen of the Reich brought an action before the...

Read moreDetails

Drafting contracts for SaaS companies: Tips from an IT law expert

Drafting contracts for SaaS companies: Tips from an IT law expert
10. October 2024

Software as a Service (SaaS) has established itself as the dominant business model in the IT industry. For SaaS companies,...

Read moreDetails

Building sustainable trust with professional contracts

Building sustainable trust with professional contracts
14. March 2023

Trust is a central factor in any business relationship. With professional contracts, companies can build sustainable trust between themselves and...

Read moreDetails

Why are contracts important?

Why are contracts important?
2. July 2019

I often write here in the blog about how important I think it is for certain industries to work on...

Read moreDetails

Is the NetzDG permissible? ECJ with an exciting decision

Lego brick still protected as a design patent
15. November 2023

The ECJ has made an exciting decision that could also be relevant for the NetzDG, which applies to Instagram or...

Read moreDetails

Blockchain and smart contracts

Blockchain and smart contracts
10. October 2024

Blockchain technology and smart contracts have the potential to revolutionize numerous industries and enable new business models. These technologies offer...

Read moreDetails

OnlyFans management contracts: What content?

OnlyFans management contracts: What content?
24. September 2024

OnlyFans has developed into one of the leading platforms for content creators in recent years. More and more artists are...

Read moreDetails

SEO and law – a balancing act between visibility and security

img LkyqWNCTGcprds9IuQPTVGz9
21. November 2023

As a lawyer specializing in IT law, copyright law and competition law, I face the challenges that arise at the...

Read moreDetails

Legal challenges for influencers when making critical statements about companies

24. September 2024

In current legal practice, there is an increasing number of cases in which influencers are involved in legal disputes due...

Read moreDetails
Startup ohne Entwickler?
Gloss / Opinion

Startup ohne Entwickler?

8. July 2025

Es ist spätabends, der Kaffee neben dem Laptop ist längst kalt, doch ich lächle zufrieden: In wenigen Stunden habe ich...

Read moreDetails
Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung

Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung

7. July 2025
So langsam nimmt der Shop Form an

So langsam nimmt der Shop Form an

3. July 2025
Dark Patterns: UX-Tricks im Visier von Gesetzgeber und Gerichten

Dark Patterns: UX-Tricks im Visier von Gesetzgeber und Gerichten

2. July 2025
Altersverifikation im Internet: Pflichten für Anbieter in Deutschland und Europa

Altersverifikation im Internet: Pflichten für Anbieter in Deutschland und Europa

30. June 2025

Podcastfolge

Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

25. September 2024

In dieser fesselnden Episode meines IT-Medialaw Podcasts teile ich, Marian Härtel, meine persönliche Reise als leidenschaftlicher IT-Rechtsanwalt. Ich erzähle von...

Read moreDetails
Startups und Innovation in Deutschland – Herausforderungen und Chancen

Startups und Innovation in Deutschland – Herausforderungen und Chancen

25. September 2024
Rechtliche Grundlagen und Praxis von Open Source in der Softwareentwicklung

Rechtliche Grundlagen und Praxis von Open Source in der Softwareentwicklung

19. April 2025
Rechtssichere Influencer-Agentur-Verträge: Strategien zur Vermeidung unerwarteter Kündigungen

Rechtssichere Influencer-Agentur-Verträge: Strategien zur Vermeidung unerwarteter Kündigungen

19. April 2025
Rechtskette beim Spieleentwickler

Rechtskette beim Spieleentwickler

19. April 2025

Video

Mein transparente Abrechnung

Mein transparente Abrechnung

10. February 2025

In diesem Video rede ich ein wenig über transparente Abrechnung und wie ich kommuniziere, was es kostet, wenn man mit...

Read moreDetails
Faszination zwischen und Recht und Technologie

Faszination zwischen und Recht und Technologie

10. February 2025
Meine zwei größten Herausforderungen sind?

Meine zwei größten Herausforderungen sind?

10. February 2025
Was mich wirklich freut

Was mich wirklich freut

10. February 2025
Was ich an meinem Job liebe!

Was ich an meinem Job liebe!

10. February 2025
  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung