Home » Blog » Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (C-311/18)

Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (C-311/18)

By /

Authored By: JABALIN SU KAN YA

Junior Associate at White and Wise Law Firm

Schrems II (C-311/18) (2020, European Court of Justice)

  • Nature of the Case: International data transfers, GDPR compliance
  • Petitioner: Max Schrems
  • Respondent: Facebook Ireland, European Commission
  • Bench: European Court of Justice (ECJ) Grand Chamber

Introduction

Max Schrems is an Austrian lawyer, privacy activist, and founder of the non-profit organization noyb (None of Your Business). He is best known for his legal actions against Facebook and his role in shaping EU data protection laws, particularly through the Schrems I and Schrems II cases.

Schrems advocates for stronger data privacy rights and has played a significant role in enforcing the General Data Protection Regulation (GDPR). His lawsuits have led to the invalidation of the EU-US Safe Harbor (2015) and Privacy Shield (2020) frameworks, which previously facilitated data transfers between the EU and the US. Through his work, Schrems continues to push for better enforcement of privacy laws and greater accountability from tech companies handling personal data.

Max Schrems played a central role in both the Schrems I and Schrems II cases by challenging the legality of data transfers from the European Union (EU) to the United States (US), particularly focusing on Facebook’s data practices. His efforts significantly reshaped global data protection laws.

The Schrems II case, ruling had significant consequences for global businesses, transatlantic data flows, and privacy law, shaping the way companies handle EU personal data under the General Data Protection Regulation (GDPR).

Previous Legal Developments: Schrems I and Safe Harbor:

    • Schrems I (C-362/14) [2015]:
    • Challenged the Safe Harbor Agreement, which allowed EU-US data transfers.
    • The CJEU invalidated Safe Harbor, citing US mass surveillance (e.g., PRISM, UPSTREAM) as incompatible with EU fundamental rights.
    • Privacy Shield (2016-2020):
    • A replacement for Safe Harbor, self-certifying US companies’ compliance with EU data protection.
    • Criticized for its lack of legal remedies for EU citizens and US surveillance laws’ supremacy over privacy commitments.

Facts of the Case

  • Dispute Over Data Transfers to the US o Facebook Ireland transfers personal data of EU users to Facebook Inc. (USA) for processing.
  • Schrems challenged these transfers, arguing that US law allows mass surveillance (e.g., PRISM, UPSTREAM programs), violating EU citizens’ fundamental rights.
  • His argument focused on two data transfer mechanisms:
  • EU-US Privacy Shield: A framework that allowed companies to selfcertify compliance with EU privacy laws.
  • Standard Contractual Clauses (SCCs): Legal agreements used by companies to ensure adequate data protection when transferring data outside the European Economic Area (EEA).
  • Schrems’ Complaint & Irish DPC Investigation.
  • Schrems initially filed a complaint against Facebook Ireland in 2013, which led to Schrems I (2015), invalidating the Safe Harbor framework (the predecessor to Privacy Shield).
  • After Schrems I, Facebook continued data transfers using SCCs.
  • In 2015, Schrems filed a new complaint with the Irish Data Protection Commissioner (DPC), arguing that SCCs do not prevent US government surveillance.
  • The Irish DPC referred the case to the Irish High Court, which then sent 11 legal questions to the CJEU for clarification.

Legal Issues: The key legal questions before the CJEU were:

  1. Does the EU-US Privacy Shield provide an “adequate level of protection” under GDPR and the Charter of Fundamental Rights (CFR)?
  2. Are SCCs a valid mechanism for data transfers when the importing country (e.g., the US) has laws that permit mass surveillance?
  3. What obligations do companies and regulators have when using SCCs for international transfers?

Legal Principles

Fundamental Rights Protection – The ruling is based on Articles 7, 8, and 47 of the Charter of Fundamental Rights of the European Union (CFR): 

  • Article 7: Right to respect for private and family life.
  • Article 8: Protection of personal data.
  • Article 47: Right to an effective remedy and a fair trial.

Adequacy of Data Transfers Under GDPR – The case interprets Article 45 and Article 46 of the General Data Protection Regulation (GDPR): 

  • Article 45: Requires that data transfers outside the EU must only occur if the receiving country ensures an adequate level of protection.
  • Article 46: Allows for data transfers using safeguards like Standard Contractual Clauses (SCCs), but these must still ensure effective protection equivalent to EU standards.
  • Proportionality and Necessity in Government Surveillance – The ECJ found that US surveillance programs (e.g., PRISM, UPSTREAM) allowed disproportionate access to EU citizens’ data without sufficient legal remedies, violating the principles of necessity and proportionality under EU law.
  • Legal Certainty & Accountability in International Data Transfers – The decision reinforces the need for clear and enforceable protections when companies transfer personal data across borders, ensuring compliance with GDPR and fundamental rights standards.

Arguments by the Petitioner (Schrems) – Schrems and his legal team argued:

  • Inadequate Protection Under US Law:
  •  US laws (e.g., FISA 702, Executive Order 12333) allow mass surveillance by intelligence agencies like the NSA, violating EU fundamental rights (privacy and data protection).
  • Lack of Redress Mechanisms for EU Citizens:
  • EU citizens do not have legal remedies in US courts to challenge data access by intelligence agencies, violating Article 47 of the CFR (Right to an Effective Remedy).
  • Invalidity of Privacy Shield:
  • The Privacy Shield does not prevent disproportionate US government access to EU personal data.
  • SCCs Do Not Fix the Problem:
  • SCCs require companies to ensure “adequate protection,” but if the importing country’s laws override the contractual obligations, SCCs cannot be sufficient.

Arguments by the Respondent (Facebook & Irish DPC):  Facebook and the Irish Data Protection Commission argued:

  • SCCs Are Sufficient:
  • SCCs provide contractual obligations for data protection, which can ensure compliance with EU law.
  • Privacy Shield Ensures Adequate Protection:
  • The Privacy Shield framework includes safeguards, such as the Ombudsperson mechanism, to address EU concerns.
  • Companies Have Compliance Responsibilities:
  • The burden is on Facebook and other companies to ensure that data protection measures are implemented properly.

Court Analysis and Reasoning: The CJEU ruled as follows:

  • Invalidation of the EU-US Privacy Shield o The Privacy Shield did not provide adequate protection as required under Article 45 GDPR.
  • Reasoning:
  • US surveillance laws (FISA 702, EO 12333) allow disproportionate data collection.
  • No legal remedies for EU citizens in the US.
  • The Ombudsperson mechanism was insufficient to ensure compliance with EU fundamental rights.
  • Validity of Standard Contractual Clauses (SCCs) with Conditions o SCCs remain a valid transfer mechanism (Article 46 GDPR) but are subject to strict conditions.

Reasoning:

    • Companies must verify that the receiving country ensures adequate protection.
    • If a country’s laws undermine SCCs, companies must suspend transfers.
    • Regulators (like the Irish DPC) must intervene when SCC-based transfers fail to ensure compliance.

Judgment:

  • The CJEU struck down the EU-US Privacy Shield as invalid.
  • SCCs remain valid, but only if companies can ensure adequate protection in the receiving country.
  • Obligations on data controllers and regulators to assess data transfer risks were significantly increased.

International Implications:

  • Impact on US-EU Data Transfers:
  • Companies could no longer rely on Privacy Shield, leading to legal uncertainty.
  • Many organizations had to adopt SCCs with additional safeguards.
  • Effect on Businesses & Compliance:
  • Increased legal and compliance costs for businesses.
  • EU companies had to conduct Data Transfer Impact Assessments (DTIAs) before sending data to third countries.
  • Pressure for US Legal Reforms:
  • The ruling prompted negotiations for a new transatlantic framework (Data Privacy Framework, 2023).
  • Influence on Other Jurisdictions:
  • India – Digital Personal Data Protection (DPDP) Act (2023):
  • Aligns with GDPR principles but allows broad government exemptions. Cross-border transfers require “trusted nations” list, unlike GDPR’s adequacy system. o China – Personal Information Protection Law (PIPL) (2021): Requires government approval for international data transfers. More restrictive than GDPR.
  • Brazil – LGPD (2020): Based on GDPR but with softer penalties.

Analysis of Schrems II (C-311/18) for Your Industry or Compliance Needs: To provide the most relevant analysis, could you specify which industry or area of compliance you’re concerned with? Here are a few tailored perspectives based on different sectors: Ø Technology & Cloud Services (Big Tech, SaaS, Data Hosting)

Key Impact:

    • Cloud service providers (AWS, Google Cloud, Microsoft Azure) must reassess EU-US data transfers.
    • Companies relying on SaaS solutions with US-based data centers must implement encryption, pseudonymization, and supplementary safeguards.

Compliance Steps:

    • Conduct Data Transfer Impact Assessments (DTIAs).
    • Implement End-to-End Encryption (E2EE) for stored and transferred data.
    • Consider EU-based data centers or local processing solutions to mitigate legal risks.

Ø E-Commerce & Digital Marketing

 Key Impact: 

  • Targeted advertising platforms (Google Ads, Meta, TikTok, etc.) collect personal data (cookies, behavioural data) that often involve EU-US data transfers.
  • Use of analytics tools (Google Analytics, Facebook Pixel, etc.) can be problematic without safeguards.

Compliance Steps: 

  • Move to EU-hosted analytics solutions (e.g., Matomo instead of Google Analytics).
  • Obtain explicit consent from EU users for data transfers to the US.
  • Use Standard Contractual Clauses (SCCs) with supplementary security measures.
  • Financial Services & Banking

Key Impact:

      • Banks and fintech firms using US-based cloud solutions for customer data storage need stronger compliance measures.
      • Cross-border payments (SWIFT, PayPal, Stripe) involve personal data flows.

Compliance Steps:

      • Work with EU-based financial service providers for transactions. o Ensure multi-layer encryption before transferring any financial data.
      • Implement zero-trust security frameworks for international data handling.
      • Healthcare & Life Sciences (Pharmaceuticals, Telemedicine, Clinical Trials)

Key Impact:

        • Patient data is highly sensitive, making Schrems II compliance critical.
        • Many healthtech platforms and research collaborations rely on USbased cloud services.

Compliance Steps:

        • Store health data within the EU whenever possible.
        • Ensure data anonymization before any international transfer.
        • Conduct risk assessments for clinical trial data sharing with US-based partners.
        • Legal & Compliance Strategies for Any Industry
        • Use of SCCs:

Businesses  must implement “supplementary  measures”  (e.g., encryption, access control).

  • Data Localization Considerations:

Many companies are now exploring EU-based cloud services (e.g., OVHCloud, Deutsche Telekom Cloud).

  • Alternative Legal Mechanisms:

Explore Binding Corporate Rules (BCRs) for intra-company data transfers.

Conclusion:

The Schrems II ruling reshaped global data protection by reinforcing fundamental privacy rights under GDPR. It highlighted the incompatibility of US surveillance laws with EU data protection standards, forcing companies to adopt stricter safeguards for international data transfers. The ruling also accelerated legal reforms, influencing global privacy laws such as India’s DPDP Act and Brazil’s LGPD. While SCCs remain a key mechanism, their use now requires case-by-case assessments and enhanced security measures. The long-term viability of the new EU-US Data Privacy Framework remains uncertain, as privacy advocates continue to challenge its effectiveness.

Reference (S):

  1. Court of Justice of the European Union, Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (Schrems II) (Judgment) [2020] ECLI:EU:C:2020:559, C-311/18.
  1. Charter of Fundamental Rights of the European Union [2012] OJ C326/391.
  2. General Data Protection Regulation (GDPR).
  3. Foreign Intelligence Surveillance Act (FISA) 50 USC §1881a (2008).
  4. Executive Order 12333, United States Intelligence Activities (1981).
  5. India’s Digital Personal Data Protection Act (2023).
  6. Lei Geral de Proteção de Dados (LGPD) (Brazil, 2020).
  7. Personal Information Protection Law (PIPL) (China, 2021).

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top