Data Protection Commissioner v. Facebook & Max Schrems (CJEU)

Top News


Data Protection Commissioner v. Facebook & Max Schrems is a follow up case to the landmark Court of Justice for the European Union (CJEU) ruling striking down the "Safe Harbor" arrangement for transferring personal data of EU consumers from the EU and the United States. This case, now before the CJEU, was brought by the Irish Data Protection Commissioner in Irish High Court. The case concerns whether transferring data to the United States using a different legal mechanism, "standard contractual clauses," violates the European Charter of Fundamental Rights.

Following the CJEU ruling invalidating "Safe Harbor" (promptly replaced by a similarly flawed EU-US "Privacy Shield" pact), Austrian privacy activist Schrems filed a renewed complaint with the Irish DPC based on Facebook’s use of standard contractual clauses (SCCs); to authorize EU-US data transfers. If a country does not have an adequate level of privacy protection, EU law still permits personal data to be transferred abroad where another legal mechanism, can provide sufficient data privacy safeguards. Mechanisms approved by the European Commission include certain "standard contractual clause." However, Schrems contended that U.S. surveillance law is not in line with the requirements laid down by EU law including the judgment of the CJEU in the Safe Harbor decision, resulting in a violation of European fundamental rights notwithstanding the use of SCCs. The Irish DPC began an investigation into two key issues: does the US provide adequate legal protection to EU users whose data is transferred, and, if not, could SCCs used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? The DPC determined that US law fails to adequately provide legal remedies to EU citizens and the SCCs did not provide an adequate remedy above and beyond that shortcoming. The Irish DPC brought suit in Irish High Court, asking referral to the CJEU on the question of whether the SCCs violated EU fundamental rights. EPIC was designated the sole US amicus in that case and provided detailed submissions on US surveillance and privacy law.

The High Court formally referred the case to the CJEU on April 12, 2018. The court found week that referred “well-founded concerns that there is an absence of an effective legal remedy in U.S. law” for U.S. surveillance and referred the matter to the high court of Europe. The High Court asked eleven questions of the CJEU to determine whether the SCC's are invalid. These include: whether the US provides sufficient remedies for privacy violations, whether US surveillance violates Europeans' rights when their data is transferred to the US using an SCC, whether future data transfers should be suspended, and whether the EU-US "Privacy Shield" matters to the case.

Next, the CJEU will issue a formal "notice" of the case initiating proceedings.

EPIC’s Interest

The Irish High Court accepted EPIC's application to participate in the case below as the only NGO from the United States to provide a counterbalancing perspective on U.S. surveillance law to the views offered by the U.S. Government. EPIC has participated as an amicus before international courts. For instance, EPIC joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

EPIC has a long history in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for transatlantic data transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.

Legal Documents

  • Irish High Court Referral to the CJEU (April 12, 2018)
  • Resources


    Share this page:

    Support EPIC

    EPIC relies on support from individual donors to pursue our work.

    Defend Privacy. Support EPIC.