Background to CJEU Ruling on Schrems I

(To Be Read in conjunction CJEU Ruling on Schrems II Article)

The European Data Protection Directive 95/46/EC, and the General Data Protection Regulation (GDPR) both stated that the transfer of personal data to a country outside the European Economic Area (EEA), referred to as a third country, may only tale place if that country ensures an adequate level of data protection.

The data protection laws enable the European Commission to adopt an adequacy decision regarding a third country. This decision establishes that the third country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into.

In July 2000, the European Commission adopted a decision declaring that the United States provides for adequate safeguards for data protection. The decision of the Commission was based on the Safe Harbor framework. The Safe Harbor arrangement consisted of data protection principles to which American companies could subscribe voluntarily in order to engage in cross-border data transfers. Thus, the protections for user data relied on the self-assessment and self-certification by private companies.

Schrems I Case

Max Schrems, lodged a complaint with the Irish Data Protection Commissioner (DPC) relating to data Mr Schrems provided to Facebook which was transferred from Facebook’s Irish subsidiary (Facebook Ireland) to Facebook’s servers in the United States (Facebook Inc.). The complaint was made in light of revelations made by Mr Edward Snowden in 2013 concerning the activities of the United States intelligence services, particularly the National Security Agency. The law and practices of the US government offer no real protection against surveillance by the US government on data transferred to the USA.

The DPC rejected the complaint, on the grounds that the European Commission had made the decision that under the Safe Harbour scheme, the US ensures an adequate level of protection of the personal data transferred.

Mr. Schrems appealed the decision of the DPC before the Irish High Court. The Court decided to stay the proceedings and refer the ruling to the Court of Justice of the European Union (CJEU).

The CJEU issued its ruling on October 6, 2015, invalidating Safe Harbor. The Court ruled that:

  • national data protection authorities have the right to investigate the adequacy of data transfers under the EU-US Safe Harbor arrangement or any other arrangements concluded pursuant to an adequacy decision by the European Commission for that matter, and
  • the Safe Harbor arrangement should be invalid due to the lack of adequacy.

As a result of the Schrems I ruling, the EU and US began negotiating a replacement agreement: the EU-US Privacy Shield. The European Commission adopted Privacy Shield on July 12, 2016. However, the EU-US Privacy Shield was heavily criticised by activists and data protection experts for not providing any concrete protection against indiscriminate access to personal data for national security purposes and it still required the self-certification by US companies. For more updated information regarding Schrems II, click here