CNIL points out that its conclusions apply not only to Microsoft hosting the Health Data Hub, but also to all the other kinds of French health data held on systems run by US companies.
Now that the CJEU has decided on the application of EU law in relation to bulk data retention and collection, the cases will be sent back to the national courts for a final decision.
It mostly affects the Internet giants like Facebook, which now seem to have no legal means of transferring EU personal data to the US – neither under Privacy Shield, nor using SCCs. Since the CJEU decision cannot be appealed, that leaves two main ways forward.
June 2018: Schrems files his second case against Facebook Ireland, arguing that the standard contractual clauses and the EU-US Privacy Shield are invalid, as they do not fully protect citizens’ rights.
Then, in 2016, the CJEU affirmed that decision by ruling specifically that “EU law precludes national legislation that prescribes general and indiscriminate retention of data,” in what is known as the Tele2 Sverige and Watson judgment.
according to the AG [Advocate General] the DPC [data protection commissioner in Ireland] must stop the EU-US data transfers of Facebook, once it took the view that US law violates EU fundamental rights.
Unfortunately for the online advertising industry, the CJEU begs to differ: In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.
In particular, the BGH asked the CJEU to determine whether dynamic IP addresses are personal data in the hands of a website operator, if a third party (e.g., an Internet Service Provider (" ISP ")) holds additional information (e.g., account details) that can be used to link those dynamic IP addresses to the identity of the relevant individual.