Wednesday 7 October 2015

No Safe Harbour: Sailing in the tempest (Case Maximillian Schrems v Data Protection Commissioner)

The long-awaited decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner was finally issued on 6 October 2015. Controversial in its findings, this preliminary ruling sheds new light on the ongoing debate regarding the collection, transfer and processing of EU citizens’ data by US companies, and the processing of that data by US intelligence agencies within the framework of the PRISM program.

Background information

Mr. Schrems, an Austrian citizen, has been a Facebook user since 2008. In the case of all users residing in the EU, some or all of the data with which they provide Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed.

Mr. Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner) on the grounds that, in light of the revelations made by Edward Snowden in 2013 concerning the activities of the United States intelligence services (in particular, the NSA), the law and practice in force in the United States did not offer sufficient protection against surveillance by the public authorities of data transferred to that country. The Irish supervisory authority rejected the complaint on the basis of the decision of 26 July 2000, which considered that under the “safe harbour scheme” the United States ensured an adequate level of protection of the personal data transferred (known as the Safe Harbour Decision).

Mr. Schrems then filed an appeal with the High Court of Ireland, which considered that the issue prompting his action was closely related to EU law since, according to that High Court, the Safe Harbour Decision did not comply with the principles set forth in the judgments in C-293/12 and C-594/12, EU:C:2014:238.

Preliminary questions submitted to the CJEU

On 17 July 2014, the High Court of Ireland, before which the case had been brought, submitted the following questions to the Court of Justice for a preliminary ruling:

(1)  Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?

(2)  Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?

The Advocate General’s Opinion of 23 September 2015

According to the Opinion of the Advocate General (Yves Bot), a company, by merely having a Safe Harbour certification, would not automatically comply with the European data directive on export requirements.

This argument had already been made in Communication COM(2013) 846 and Communication COM(2013) 847.

As was to be expected, the CJEU followed the arguments put forward by the Advocate General.

The judgment published on 6 October 2015                                              

The CJEU ruled that the Safe Harbour Decision was invalid, and that the Irish supervisory authority should have examined Mr. Schrems’ complaint comprehensively and with all due diligence in order to determine whether the transfer of data by Facebook’s European subsidiary to Facebook’s US servers was in conformity with data protection principles and with the protection of EU citizens’ fundamental rights, considering that there was evidence to suggest that the practices carried out in the US did not grant an appropriate level of protection to Mr. Schrems’ personal data.                               

This judgment shatters the Safe Harbour system that was in place and is being considered by scholars and the media as a shocking move in the protection of EU citizens’ data.

On 1 October 2015, Mr. Schrems himself was unable to foresee the result and impact of his quest.                                    

The aftermath. Potential consequences.

This decision, just like last year’s decision in C-131/12 Google Spain v AEPD and Mario Costeja González (for a comment in this blog, here), has caused a global tsunami in the data protection and IT sectors.

It is now for the EU Member States, in particular to their Data Protection Agencies, to decide on Safe Harbour within their respective jurisdictions, and even forbid it within their borders.                                   

Considering that the High Court of Ireland was the court which had brought this question to the CJEU’s attention, it will likely be the first judicial body to decide whether US companies should: (a) compile and process all EU citizens’ data within the EU; or (b) undertake to grant real protection to EU citizens’ data, avoiding any disturbance or interference from US intelligence agencies.

It must nevertheless be highlighted that the conclusions drawn by the CJEU on Safe Harbour would also apply to companies operating under a BCR (Binding Corporate Rules) or Model Contracts scheme.

On another note, Article 26 of Directive 95/46 lays down the exceptions on which US companies may wish to rely (namely, consent of data subjects, the need to transfer the data in order to perform a contract with the data subjects, etc.).

In view of the above, this CJEU decision is a call for foreign companies dealing with EU citizens’ data to protect that data under acceptable standards as per EU laws.

Authors: Cristina Espín and Alba López

Visit our website:


  1. Wonderful article, thank you for sharing the info. It isn’t too often that you simply read articles where the poster understands what they’re blogging about.


  2. To an extraordinary degree beautiful and enthralling post. I was chasing down this sort of data and recognized inspecting this one. Continue posting. Grateful for sharing.


  3. Hello, I'm happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look keonhacai

  4. Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post.

  5. This is by far the best post I've seen recently. This article, which has been devoted to your efforts, has helped me to complete my task.
    Appreciating the persistence you put into your blog and detailed information you provide.
    I really love the theme/design of your website.

  6. It is in reality a nice and useful piece of info. I am glad that you simply shared this useful info with us.

  7. I am thankful for the article post. Looking forward to visit more. 카지노사이트

  8. So good indeed! Glad to have found your page!! This is such great work!! Interesting to read. 바둑이사이트

  9. Really great article. I'm glad to read the article. It is very informative for us, thanks for posting. 카지노사이트

  10. Sailing is a timeless art and recreation that combines skill, nature, and adventure. It's the mastery of harnessing the wind's power to propel a vessel across water, a dance of wind and water. Sailors rely on their knowledge of the elements, navigation, and the intricacies of rigging to navigate the open sea or serene lakes. Whether racing competitively or leisurely cruising, sailing inspires a deep appreciation for the world's waterways and the thrill of exploration. Traffic Lawyer Warren VA

  11. Our Fairfax Criminal Lawyer combines legal expertise with a steadfast dedication to protecting clients' rights and interests, all while having a thorough understanding of the nuances of Virginia's legal system. In the ever-changing field of criminal law, where every case is different, our champion takes great pride in developing tactical and tailored defence strategies. Criminal Defense Lawyer in Fairfax VA

  12. New York State Divorce Lawyers offer expert legal guidance on divorce proceedings, including child custody, asset division, and spousal support, ensuring clients navigate the process efficiently and achieve fair resolutions.

  13. Sailing is a timeless activity that combines adventure, skill, and a deep connection with nature. It involves navigating bodies of water using the wind as the primary source of propulsion, relying on harnessing natural forces to move gracefully across oceans, lakes, or rivers. At its core, sailing is a sport that demands both technical expertise and a profound understanding of weather patterns and water conditions. Abogado conducción imprudente Chesterfield VA