The effects of the seminal Court of Justice of the EU (CJEU) decision in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”) will be felt for some time. In this case the CJEU affirmed the validity of the standard contractual clauses (SCCs) for data transfers under Commission Decision 2010/87/EU (later amended by Commission Decision 2016/2297), but invalidated Commission Decision 2016/1250 which formed the legal basis for the EU-US Privacy Shield.
As there is no such adequacy agreement between the EU and Australia the ruling is of significant importance. Indeed, in its Digital Platforms Inquiry – Final Report, the Australian Competition and Consumer Commission (ACCC) recommended wide scale reform of the Privacy Act and the Australian Consumer Law in response to the significant challenges to consumer privacy brought about by our use and reliance on technology in order to bring the protections in line with international standards. However, it remains unclear whether even a wholesale adoption of ACCC’s recommendations would bring the protections in line with the GDPR. These equivalence concerns are multiplied when one considers that in the Schrems II case the CJEU was particularly concerned with law enforcement access to data and hence, individual redress against national security and intelligence services. Given Australia’s membership of the Five Eyes intelligence alliance and the extensive powers afforded to law enforcement agencies, the legitimacy of exporting personal data from the EU to Australia is in doubt. The purpose of this event therefore is to explore the implications of the Schrems II ruling for Australia.