CJEU - C-311/18 - Facebook Ireland and Schrems
CJEU invalidates EU-US Privacy Shield but upholds Standard Contractual Clauses for transatlantic data transfers.
Summary
In the landmark Schrems II decision (C-311/18), the Court of Justice of the European Union invalidated the EU-US Privacy Shield adequacy decision due to mass surveillance under US law (FISA Section 702, PRISM, UPSTREAM, Executive Order 12.333), finding it incompatible with GDPR protections. However, the court affirmed the validity of Standard Contractual Clauses (SCCs) as a lawful transfer mechanism, provided they include effective safeguards ensuring essentially equivalent data protection. The ruling underscores that supervisory authorities must diligently handle data subject complaints and that third-country surveillance regimes may render contractual clauses insufficient without additional protective measures.
Full text
Help CJEU - C-311/18 - Facebook Ireland and Schrems: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:34, 21 October 2024 view sourceManTechnologist (talk | contribs)861 edits Tag: Visual edit← Older edit Latest revision as of 13:40, 17 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators216 editsm Tag: Visual edit Line 1: Line 1: {{CJEUdecisionBOX |Case_Number_Name=C-311/18 Facebook Ireland and Schrems |ECLI=ECLI:EU:C:2020:559 |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?docid=221826&doclang=en |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=en |Date_Decided=16.07.2020 |Year=2020 |GDPR_Article_1=Article 2(2) GDPR |GDPR_Article_Link_1=Article 2 GDPR#2 |GDPR_Article_2=Article 45 GDPR |GDPR_Article_Link_2=Article 45 GDPR |GDPR_Article_3=Article 46 GDPR |GDPR_Article_Link_3=Article 46 GDPR |GDPR_Article_4=Article 58 GDPR |GDPR_Article_Link_4=Article 58 GDPR |EU_Law_Name_1=Charter of Fundamental Rights of the European Union |EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT |EU_Law_Name_2=Decision 2010/87/EU |EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087 |EU_Law_Name_3=Decision (EU) 2016/1250 |EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG |Party_Name_1=Data Protection Commission |Party_Link_1=https://www.dataprotection.ie/ |Party_Name_2=Facebook Ireland |Party_Link_2=https://www.facebook.com |Party_Name_3=Maximillian Schrems |Party_Link_3=https://en.wikipedia.org/wiki/Max_Schrems |Party_Name_4= |Party_Link_4= |Party_Name_5= |Party_Link_5= |Reference_Body=High Court (Ireland) |Reference_Case_Number_Name= |Initial_Contributor=Isabel Hahn }}{{CJEUdecisionBOX |Case_Number_Name=C-311/18 Facebook Ireland and Schrems |ECLI=ECLI:EU:C:2020:559 |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?docid=221826&doclang=en |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=en |Date_Decided=16.07.2020 |Year=2020 |GDPR_Article_1=Article 2(2) GDPR |GDPR_Article_Link_1=Article 2 GDPR#2 |GDPR_Article_2=Article 45 GDPR |GDPR_Article_Link_2=Article 45 GDPR |GDPR_Article_3=Article 46 GDPR |GDPR_Article_Link_3=Article 46 GDPR |GDPR_Article_4=Article 58 GDPR |GDPR_Article_Link_4=Article 58 GDPR |EU_Law_Name_1=7 CFR |EU_Law_Link_1=https://eur-lex.europa.eu/eli/treaty/char_2012/oj |EU_Law_Name_2=Decision 2010/87/EU |EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087 |EU_Law_Name_3=Decision (EU) 2016/1250 |EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG |Party_Name_1=Data Protection Commission |Party_Link_1=https://www.dataprotection.ie/ |Party_Name_2=Facebook Ireland |Party_Link_2=https://www.facebook.com |Party_Name_3=Maximillian Schrems |Party_Link_3=https://en.wikipedia.org/wiki/Max_Schrems |Party_Name_4= |Party_Link_4= |Party_Name_5= |Party_Link_5= |Reference_Body=High Court (Ireland) |Reference_Case_Number_Name= |Initial_Contributor=Isabel Hahn |EU_Law_Name_4=8 CFR|EU_Law_Link_4=https://eur-lex.europa.eu/eli/treaty/char_2012/oj|EU_Law_Name_5=47 CFR|EU_Law_Link_5=https://eur-lex.europa.eu/eli/treaty/char_2012/oj}} The Court of Justice of the European Union (CJEU) invalidated Commission Decision 2016/1250 (the EU-US Privacy Shield), but affirmed the validity of standard contractual clauses (SCCs), providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens.The Court of Justice of the European Union (CJEU) invalidated Commission Decision 2016/1250 (the EU-US Privacy Shield), but affirmed the validity of standard contractual clauses (SCCs), providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens. Line 10: Line 10: In its judgment on October 6th 2015 (Case C-362/14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be "adequate", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC.In its judgment on October 6th 2015 (Case C-362/14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be "adequate", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC. In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Articles 7, 8, and 47 of the Charter. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought proceedings before the High Court. On May 4th 2018 the High Court made the reference for a (second) preliminary ruling to the CJEU. In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Article 7 CFR, Article 8 CFR, and Article 47 CFR. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought proceedings before the High Court. On May 4th 2018 the High Court made the reference for a (second) preliminary ruling to the CJEU. In its reference to the CJEU, the High Court specified that Section 702 of the FISA permitted the Attorney General and the Director of National Intelligence to authorize jointly, following FISA approval, the surveillance of individuals who are not US citizens and who are located outside of the US in order to obtain foreign intelligence information. It was also affirmed that Section 702 of the FISA provided the basis for the PRISM and UPSTREAM surveillance programs. PRISM in particular, requires Internet Service Providers (ISPs) to supply the NSA with all communications to and from a ‘selector’. UPSTREAM on the other hand, permitted the NSA to copy and filter Internet traffic flows from the ‘backbone’ of the internet, granting it access to both the content of communications and their metadata. Furthermore, the High Court had found that Executive Order 12.333 (E.O. 12333) allowed the NSA to access data in transit by accessing underwater cab