Data Protection Commissioner v. Facebook & Max Schrems (CJEU)
- Irish High Court Orders DPC to Move Forward in Facebook Investigation: The Irish High Court today issued an order in a follow-on case to Irish Data Protection Commissioner v. Facebook and Schrems ("Schrems II") and, as a result, the investigation into Facebook's U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the U.S.-EU Privacy Shield Agreement. The CJEU in the Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook's U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court today rejected Facebook's challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II, arguing that U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (May. 14, 2021)
- Facebook to be Ordered to Stop Sending EU Data to U.S.: The Irish Data Protection Commissioner has reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Sep. 10, 2020)
- Schrems Files 101 Complaints Targeting US-EU Data Transfers (Aug. 18, 2020) +
- Transatlantic Consumer Groups: No New Data Transfer Agreement Until Privacy Protections Improved (Jul. 28, 2020) +
- BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws (Jul. 16, 2020) +
- EU Legal Advisor Advances Privacy for National Security Matters (Jan. 16, 2020) +
- EU Advocate General Backs Data Transfers, Criticizes Privacy Shield (Dec. 19, 2019) +
- Max Schrems Files GDPR Complaints with French Data Protection Agency (Dec. 10, 2019) +
- FTC Announces Privacy Shield No Penalty Enforcement Action (Dec. 3, 2019) +
- European Privacy Board Cites Concerns about EU-U.S. Privacy Shield (Nov. 14, 2019) +
- EU-U.S. Privacy Shield Renewed, Still in Dispute in Court (Oct. 23, 2019) +
- Access Now Calls for Privacy Shield to be Struck Down (Sep. 18, 2019) +
- Company Violates Privacy Shield, FTC Imposes No Penalty (Aug. 22, 2019) +
- EPIC Comments on Canada Transborder Data Flow Policy (Aug. 6, 2019) +
- EPIC Comments on Third Annual Privacy Shield Review (Jul. 15, 2019) +
- EPIC to Discuss US Surveillance before Top European Court (Jul. 8, 2019) +
- EPIC Urges Senate to Strengthen US Privacy Laws for Cross Border Data Flows (Mar. 26, 2019) +
- European Privacy Board Report Criticizes Privacy Shield Compliance (Jan. 25, 2019) +
- EU-U.S. Privacy Shield Renewed, Privacy Commitments Ignored (Dec. 19, 2018) +
- U.S. Defends Privacy Shield, But Fails to Comply with Privacy Commitments (Sep. 5, 2018) +
- EPIC Comments on Second Annual Privacy Shield Review (Aug. 14, 2018) +
- For Internet Policy, EPIC Urges Congress to Update U.S. Privacy Laws (Jul. 30, 2018) +
- European Parliament: 'Privacy Shield' Does Not Protect Privacy, Calls for Suspension (Jul. 5, 2018) +
- FTC Announces Another Privacy Settlement, But Again Imposes No Penalties (Jul. 2, 2018) +
- European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended (Jun. 12, 2018) +
- EPIC Seeks Records from FTC Regarding Irish Audits of Facebook (May. 11, 2018) +
- Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers (May. 3, 2018) +
- European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers (Apr. 12, 2018) +
- EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield (Mar. 20, 2018) +
- European Court of Justice Grants Standing to Privacy Advocate But Bars Class Action under Austrian Law (Jan. 30, 2018) +
- Congress Renews Controversial Surveillance Measure, EU Impacted (Jan. 18, 2018) +
- European Privacy Experts Call for New Review of EU-US Data Arrangement (Dec. 5, 2017) +
- European Court Adviser Says Facebook Privacy Class Action Barred (Nov. 15, 2017) +
- European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against Facebook (Oct. 24, 2017) +
- EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections (Oct. 18, 2017) +
- EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows (Oct. 12, 2017) +
- FTC Announces Privacy Shield Settlement but Imposes No Penalties (Sep. 8, 2017) +
- European Privacy Officials Push for Answers on Status of U.S. Privacy (Jun. 13, 2017) +
- EPIC Urges Senate Committee To Reform Surveillance Law (Jun. 6, 2017) +
- EPIC, Privacy Coalition Meet with EU Data Protection Supervisor (Apr. 21, 2017) +
- European Parliament Expresses Alarm Over Rollback of US Privacy Safeguards (Apr. 6, 2017) +
- NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +
- EPIC Urges House Committee To Ensure Transparency, Public Reporting in Surveillance Law (Mar. 1, 2017) +
- EPIC in Court: Irish High Court Examines EU-US Data Transfers (Mar. 1, 2017) +
- European Privacy Officials Raise Concerns About US Immigration Executive Order (Feb. 22, 2017) +
- Senators Calls for Answers from Secretary Kelly on Privacy Act Exclusion (Feb. 9, 2017) +
- EPIC Participates in Irish Case on Future of EU-US Data Transfers (Feb. 6, 2017) +
- US Designates Countries Covered Under the Judicial Redress Act (Jan. 23, 2017) +
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +
- EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield (Jan. 18, 2017) +
- New Study Shows Global Increase in Comprehensive Privacy Protections (Nov. 29, 2016) +
- Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +
- Privacy Advocates Challenge EU-US Data Transfer Agreement (Oct. 27, 2016) +
- Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails (Oct. 4, 2016) +
- Privacy Shield Sign-ons Begin (Aug. 2, 2016) +
- Irish Court Approves EPIC as Amicus in Schrems Case (Jul. 19, 2016) +
- European Commission Signs Off on Flawed "Privacy Shield" (Jul. 12, 2016) +
- Privacy Shield Revisions Fail to Satisfy Legal Requirements (Jun. 29, 2016) +
- EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +
- Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +
- European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +
- TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +
- EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +
- NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +
- "Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +
- European Commission Wrongly Denies EPIC's Request For "Privacy Shield" (Feb. 26, 2016) +
- Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +
- EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement (Feb. 4, 2016) +
- Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +
- Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield" (Feb. 2, 2016) +
- Schrems Responds to US Lobby Groups on Safe Harbor (Jan. 29, 2016) +
- "Clock is ticking" on Safe Harbor, says European Consumer Organization (Jan. 29, 2016) +
- EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement (Jan. 25, 2016) +
- EPIC Urges Senate to Postpone Action on Judicial Redress Act (Jan. 16, 2016) +
- EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit (Jan. 6, 2016) +
- European Institutions Conclude Data Protection Reform (Dec. 15, 2015) +
- Senate Postpones Action on Weak EU-US Privacy Measure (Dec. 12, 2015) +
- Austrian Supreme Court to Consider Schrems' Case against Facebook (Dec. 4, 2015) +
- Schrems Pursues Legal actions to Block Data Transfers to the US (Dec. 2, 2015) +
- NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights (Nov. 12, 2015) +
- European Commission Issues Guidance on Data Transfers Post-Schrems (Nov. 6, 2015) +
- EPIC Sues for Release of Secret EU-US "Umbrella Agreement" (Nov. 4, 2015) +
- EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law (Nov. 2, 2015) +
- Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights (Oct. 28, 2015) +
- After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission (Oct. 23, 2015) +
- House Passes Faux Privacy Bill (Oct. 21, 2015) +
- Case Against Facebook Moves Forward in Ireland (Oct. 20, 2015) +
- European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful (Oct. 17, 2015) +
- European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws (Oct. 6, 2015) +
- EPIC Expresses Support for Advocate General Opinion in Schrems Case (Sep. 28, 2015) +
- Decision by EU Legal Advisor Signals End of "Safe Harbor" (Sep. 23, 2015) +
More top news
Data Protection Commissioner v. Facebook & Max Schrems is a case before the Court of Justice for the European Union (CJEU) concerning the protection of personal data transferred from Facebook Ireland to Facebook US. The case follows the landmark ruling by the CJEU in "Schrems I" striking down the US-EU "Safe Harbor" agreement, which had previously authorized transfers of personal data from the EU and the United States. The Irish DPC v. Facebook & Schrems ("Schrems II") case arose from a complaint filed by the Irish Data Protection Commissioner in Irish High Court seeking a reference of fundamental EU law questions to the CJEU. The case concerns whether data transfers pursuant to the "standard contractual clauses" that were previously approved by the European Commission violates the European Charter of Fundamental Rights.
Following the CJEU ruling in Schrems I invalidating the "Safe Harbor" agreement, Austrian privacy activist Max Schrems filed a renewed complaint with the Irish Data Protection Commissioner challenging Facebook’s transfers of his personal data to the United States. The Irish DPC determined that Facebook was transferring personal data to the US pursuant to the standard contractual clauses (SCCs). EU law permits transfers of personal data to other countries even if there is no "adequacy" determination for the target jurisdiction, so long as the transferring entity uses an approved mechanism to provide sufficient data privacy safeguards. One of the mechanisms approved by the European Commission are certain "standard contractual clauses." But mr Schrems argued that Facebook's transfers to the U.S. violated his fundamental rights under EU Law despite the existence of these contracts. In response, the Irish DPC investigated into two key issues: whether the US provides adequate legal protection to EU users whose data is transferred, and, if not, could the SCCs used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? The DPC determined that US law fails to adequately provide legal remedies to EU citizens and the SCCs did not provide an adequate remedy above and beyond that shortcoming. The Irish DPC brought suit in Irish High Court, requesting that the court refer legal questions to the CJEU concerning the validity of the SCCs and whether the transfers violated fundamental rights in the EU. The Irish High Court selected four groups to file as amicus in that case, and EPIC was selected and provided detailed submissions on US surveillance and privacy law.
On October 3, 2017, the High Court ruled that there were "well founded" concerns that SCCs violate European fundamental rights and that it would send the case to the CJEU. The High Court formally referred the case to the CJEU on April 12, 2018. The referral asked the CJEU to address eleven questions related to the validity of the SCC.
In circumstances in which personal data is transferred by a private company from a European Union (EU) member state to a private company in a third country for a commercial purpose pursuant to Decision 2010/87/EU1 as amended by Commission Decision 2016/22972 (“the SCC Decision”) and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter of Fundamental Rights of the European Union (“the Charter”)) apply to the transfer of the data notwithstanding the provisions of Article 4(2) of TEU in relation to nationalsecurity and the provisions of the first indent of Article 3(2) of Directive 95/46/EC3 (“the Directive”) in relation to public security, defence and State security?
(1) In determining whether there is a violation of the rights of an individual through the transfer of data from the EU to a third country under the SCC Decision where it may be further processed for national security purposes, is the relevant comparator for the purposes of the Directive: a) The Charter, TEU, TFEU, the Directive, ECHR (or any other provision of EU law); or b) The national laws of one or more member states?
(2) If the relevant comparator is b), are the practices in the context of national security in one or more member states also to be included in the comparator?
When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of the Directive, ought the level of protection in the third country be assessed by reference to:
a) The applicable rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country; OR
b) The rules referred to in a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non judicial remedies as are in place in the third country?
Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?
Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision:
a) Does the level of protection afforded by the US respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter?
If the answer to a) is yes,
b) Are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate within the meaning of Article 52 of the Charter and do not exceed what is necessary in a democratic society for national security purposes?
(1) What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Article 26(4) in light of the provisions of the Directive and in particular Articles 25 and 26 read in the light of the Charter?
(2) What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third country under the SCC Decision satisfies the requirements of the Directive and the Charter?
Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in the SCC Decision preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of the Directive?
If a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the clauses of the Annex to the SCC Decision or Article 25 and 26 of the Directive and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of the Directive to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of Recital 11 of the Directive, or can a data protection authority use its discretion not to suspend data flows?
(1) For the purposes of Article 25(6) of the Directive, does Decision (EU) 2016/12504 (“the Privacy Shield Decision”) constitute a finding of general application binding on data protection authorities and the courts of the member states to the effect that the US ensures an adequate level of protection within the meaning of Article 25(2) of the Directive by reason of its domestic law or of the international commitments it has entered into?
(2) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the SCC Decision?
Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III of the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter?
Does the SCC Decision violate Articles 7, 8 and/or 47 of the Charter?
The Irish High Court accepted EPIC's application to participate in the case below, as the only US privacy group, to provide a counterbalancing perspective on U.S. surveillance law to the views offered by the U.S. Government. EPIC has previously participated as an amicus before other international courts. For instance, EPIC joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
EPIC has taken a leading role in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for transatlantic data transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.
- EPIC, Max Schrems v Data Protection Commissioner (CJEU, "Safe Harbor" case)
- EPIC, Data Protection Commissioner v. Facebook & Max Schrems (Irish High Court, Standard Contractual Clauses case)
- EPIC Submissions to the Irish High Court, Data Protection Commissioner v. Facebook & Max Schrems (Feb. 27, 2017)
- NOYB, EU-US Data Transfers
- EPIC, General Data Protection Regulation
- EPIC, Privacy Shield EU-U.S. Data Transfer Arrangement
- EPIC, Statement to House Appropriations Committee (Mar. 20, 2018)
- European Commission, Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield
- European Commission, Annexes to the Commission Implementing Decision (July 12, 2016)
- US Department of Commerce, EU-US Privacy Shield Framework Principles
- US Department of Commerce, EU-US Privacy Shield Framework Principles
- Article 29 Working Party, Report on EU-US Privacy Shield Annual Review (Nov. 28, 2017)
- Press Release,EU-US Privacy Shield data exchange deal: US must comply by 1 September, say MEPs (June 12, 2018)
- Alan Butler, United States of America ∙ Whither Privacy Shield in the Trump Era? EDPL (2017)
Relevant CJEU Caselaw
- Schrems v. Data Protection Commissioner, C‑362/14 (2015)
- Digital Rights Ireland and Others, C‑293/12 and C‑594/12 (2014)
- Google Spain v. AEPD, C‑131/12 (2014)
- Commission v Hungary, C‑288/12 (2014)
- Unibet (London) Ltd and Unibet (International) Ltd v. Justitiekanslern, case C-432/05 (2007)
- Justin Hemmings, European Parliament’s Civil Liberties Committee Targets EU-U.S. Privacy Shield, Cloud Act, JD Supra (June 14, 2018)
- Natasha Lomas, Pressure mounts on EU-US Privacy Shield after Facebook-Cambridge Analytica data scandal, Tech Crunch (June 12, 2018)
- Rebecca Hill, EU-US Privacy Shield not up to snuff, data tap should be turned off - MEPs, Register (June 12, 2018)
- Thomas Shaw, Revamping Contracts For GDPR: You're Just Getting Started, Law360 (June 7, 2018)
- Mary Carolan, High Court rejects Facebook bid to stall European court action, Irish Times (May 2, 2018)
- Natasha Lomas, Facebook denied a stay to Schrems II privacy referral, TechCrunch (May 2, 2018)
- Eleven questions from Schrems case to be referred to CJEU, Scottish Legal News (Apr. 13, 2018)
- Rebecca Hill, Schrems' Facebook case edges closer to ruling over EU-US data flows, Register (Apr. 12, 2018)
- Thomas Shaw, A deep dive into the 'Schrems II' case, IAPP (Feb. 27, 2018)
- Kevin Cahill, Max Schrems’s mass surveillance complaint knocked back another year or two by Irish judge, Computer Weekly (October 2017)
- Mary Carolan, High Court to rule on landmark data privacy case next week, Irish Times (Sept. 28, 2017)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.