[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqN_eb8WbGazYq_x5XPYGNguFkF8M1w7O10Xis5FUHjs":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"f0b98582-7176-403b-add0-b529d034ab50","CJEU - C-311\u002F18 - Facebook Ireland and Schrems","cjeu-c-311-18-facebook-ireland-and-schrems-5884d4","EU LAW CLEAN-UP ← Older revision Revision as of 13:40, 17 July 2026 Line 1: Line 1: {{CJEUdecisionBOX |Case_Number_Name=C-311\u002F18 Facebook Ireland and Schrems |ECLI=ECLI:EU:C:2020:559 |Opinion_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=221826&doclang=en |Judgement_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=228677&doclang=en |Date_Decided=16.07.2020 |Year=2020 |GDPR_Article_1=Article 2(2) GDPR |GDPR_Article_Link_1=Article 2 GDPR#2 |GDPR_Article_2=Article 45 GDPR |GDPR_Article_Link_2=Article 45 GDPR |GDPR_Article_3=Article 46 GDPR |GDPR_Article_Link_3=Article 46 GDPR |GDPR_Article_4=Article 58 GDPR |GDPR_Article_Link_4=Article 58 GDPR |EU_Law_Name_1=Charter of Fundamental Rights of the European Union |EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:12012P\u002FTXT |EU_Law_Name_2=Decision 2010\u002F87\u002FEU |EU_Law_Link_2=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=celex%3A32010D0087 |EU_Law_Name_3=Decision (EU) 2016\u002F1250 |EU_Law_Link_3=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG |Party_Name_1=Data Protection Commission |Party_Link_1=https:\u002F\u002Fwww.dataprotection.ie\u002F |Party_Name_2=Facebook Ireland |Party_Link_2=https:\u002F\u002Fwww.facebook.com |Party_Name_3=Maximillian Schrems |Party_Link_3=https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMax_Schrems |Party_Name_4= |Party_Link_4= |Party_Name_5= |Party_Link_5= |Reference_Body=High Court (Ireland) |Reference_Case_Number_Name= |Initial_Contributor=Isabel Hahn }} {{CJEUdecisionBOX |Case_Number_Name=C-311\u002F18 Facebook Ireland and Schrems |ECLI=ECLI:EU:C:2020:559 |Opinion_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=221826&doclang=en |Judgement_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=228677&doclang=en |Date_Decided=16.07.2020 |Year=2020 |GDPR_Article_1=Article 2(2) GDPR |GDPR_Article_Link_1=Article 2 GDPR#2 |GDPR_Article_2=Article 45 GDPR |GDPR_Article_Link_2=Article 45 GDPR |GDPR_Article_3=Article 46 GDPR |GDPR_Article_Link_3=Article 46 GDPR |GDPR_Article_4=Article 58 GDPR |GDPR_Article_Link_4=Article 58 GDPR |EU_Law_Name_1=7 CFR |EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Ftreaty\u002Fchar_2012\u002Foj |EU_Law_Name_2=Decision 2010\u002F87\u002FEU |EU_Law_Link_2=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=celex%3A32010D0087 |EU_Law_Name_3=Decision (EU) 2016\u002F1250 |EU_Law_Link_3=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG |Party_Name_1=Data Protection Commission |Party_Link_1=https:\u002F\u002Fwww.dataprotection.ie\u002F |Party_Name_2=Facebook Ireland |Party_Link_2=https:\u002F\u002Fwww.facebook.com |Party_Name_3=Maximillian Schrems |Party_Link_3=https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMax_Schrems |Party_Name_4= |Party_Link_4= |Party_Name_5= |Party_Link_5= |Reference_Body=High Court (Ireland) |Reference_Case_Number_Name= |Initial_Contributor=Isabel Hahn |EU_Law_Name_4=8 CFR|EU_Law_Link_4=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Ftreaty\u002Fchar_2012\u002Foj|EU_Law_Name_5=47 CFR|EU_Law_Link_5=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Ftreaty\u002Fchar_2012\u002Foj}} The Court of Justice of the European Union (CJEU) invalidated Commission Decision 2016\u002F1250 (the EU-US Privacy Shield), but affirmed the validity of standard contractual clauses (SCCs), providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens. The Court of Justice of the European Union (CJEU) invalidated Commission Decision 2016\u002F1250 (the EU-US Privacy Shield), but affirmed the validity of standard contractual clauses (SCCs), providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens. Line 10: Line 10: In its judgment on October 6th 2015 (Case C-362\u002F14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be \"adequate\", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC. In its judgment on October 6th 2015 (Case C-362\u002F14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be \"adequate\", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC. In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Articles 7, 8, and 47 of the Charter. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought proceedings before the High Court. On May 4th 2018 the High Court made the reference for a (second) preliminary ruling to the CJEU. In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Article 7 CFR, Article 8 CFR, and Article 47 CFR. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought proceedings before the High Court. On May 4th 2018 the High Court made the reference for a (second) preliminary ruling to the CJEU. In its reference to the CJEU, the High Court specified that Section 702 of the FISA permitted the Attorney General and the Director of National Intelligence to authorize jointly, following FISA approval, the surveillance of individuals who are not US citizens and who are located outside of the US in order to obtain foreign intelligence information. It was also affirmed that Section 702 of the FISA provided the basis for the PRISM and UPSTREAM surveillance programs. PRISM in particular, requires Internet Service Providers (ISPs) to supply the NSA with all communications to and from a ‘selector’. UPSTREAM on the other hand, permitted the NSA to copy and filter Internet traffic flows from the ‘backbone’ of the internet, granting it access to both the content of communications and their metadata. Furthermore, the High Court had found that Executive Order 12.333 (E.O. 12333) allowed the NSA to access data in transit by accessing underwater cables on the floor of the Atlantic. The High Court stated that the only limit on US surveillance activities was found in the Presidential Policy Directive (PPD-28), and even this only stated that intelligence activities should be ‘tailored as feasible’. On the basis of these findings, the High Court considered that the US carried out mass processing of personal data without ensuring a level of protection that was essentially equivalent to that which was guaranteed by Articles 7 and 8 of the Charter. The High Court also highlighted that EU citizens did not have the same remedies available to them as US citizens with regards to the processing of their personal data, since the Fourth Amendment to the Constitution of the United States did not apply to non-US citizens. This meant that it was particularly difficult for EU citizens to establish standing before a US court. Moreover, activities based on E.O. 12333 were not subject to judicial oversight and were not justiciable. In its reference to the CJEU, the High Court specified that Section 702 of the FISA permitted the Attorney General and the Director of National Intelligence to authorize jointly, following FISA approval, the surveillance of individuals who are not US citizens and who are located outside of the US in order to obtain foreign intelligence information. It was also affirmed that Section 702 of the FISA provided the basis for the PRISM and UPSTREAM surveillance programs. PRISM in particular, requires Internet Service Providers (ISPs) to supply the NSA with all communications to and from a ‘selector’. UPSTREAM on the other hand, permitted the NSA to copy and filter Internet traffic flows from the ‘backbone’ of the internet, granting it access to both the content of communications and their metadata. Furthermore, the High Court had found that Executive Order 12.333 (E.O. 12333) allowed the NSA to access data in transit by accessing underwater cables on the floor of the Atlantic. The High Court stated that the only limit on US surveillance activities was found in the Presidential Policy Directive (PPD-28), and even this only stated that intelligence activities should be ‘tailored as feasible’. On the basis of these findings, the High Court considered that the US carried out mass processing of personal data without ensuring a level of protection that was essentially equivalent to that which was guaranteed by Article 7 CFR and Article 8 CFR. The High Court also highlighted that EU citizens did not have the same remedies available to them as US citizens with regards to the processing of their personal data, since the Fourth Amendment to the Constitution of the United States did not apply to non-US citizens. This meant that it was particularly difficult for EU citizens to establish standing before a US court. Moreover, activities based on E.O. 12333 were not subject to judicial oversight and were not justiciable. Given the considerable effects of US surveillance law on the rights of Europeans, the High Court raised the question of whether the SCCs are valid, given that they may not be binding on the State authority of the third country. If they did not bind the third country State authority, then they are not capable of remedying a possible lack of an adequate level of protection of personal data. Given the considerable effects of US surveillance law on the rights of Europeans, the High Court raised the question of whether the SCCs are valid, given that they may not be binding on the State authority of the third country. If they did not bind the third country State authority, then they are not capable of remedying a possible lack of an adequate level of protection of personal data. Line 47: Line 47: The CJEU also commented on the duty of authorities to handle complaints. See para 109 (emphasis added): The CJEU also commented on the duty of authorities to handle complaints. See para 109 (emphasis added): \"In addition, under Article 57(1)(f) of the GDPR, '''each supervisory authority is required on its territory to handle complaints''' which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. '''The supervisory authority must handle such a complaint with all due diligence''' (see, by analogy, as regards Article 25(6) of Directive 95\u002F46, judgment of 6 October 2015, ''Schrems'', C‑362\u002F14, EU:C:2015:650, paragraph 63).\" \"In addition, under Article 57(1)(f) GDPR, '''each supervisory authority is required on its territory to handle complaints''' which, in accordance with Article 77(1) GDPR, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. '''The supervisory authority must handle such a complaint with all due diligence''' (see, by analogy, as regards Article 25(6) Directive 95\u002F46\u002FEC, judgment of 6 October 2015, ''Schrems'', C‑362\u002F14, EU:C:2015:650, paragraph 63).\" ==Further Resources== ==Further Resources== ''Share blogs or news articles here!'' ''Share blogs or news articles here!'' [[Category:Featured decisions]] [[index.php?title=Category:Featured decisions]]","In the landmark Schrems II decision (C-311\u002F18), the Court of Justice of the European Union invalidated the EU-US Privacy Shield adequacy decision due to mass surveillance under US law (FISA Section 702, PRISM, UPSTREAM, Executive Order 12.333), finding it incompatible with GDPR protections. However, the court affirmed the validity of Standard Contractual Clauses (SCCs) as a lawful transfer mechanism, provided they include effective safeguards ensuring essentially equivalent data protection. The ruling underscores that supervisory authorities must diligently handle data subject complaints and that third-country surveillance regimes may render contractual clauses insufficient without additional protective measures.","CJEU invalidates EU-US Privacy Shield but upholds Standard Contractual Clauses for transatlantic data transfers.","Help CJEU - C-311\u002F18 - Facebook Ireland and Schrems: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:34, 21 October 2024 view sourceManTechnologist (talk | contribs)861 edits Tag: Visual edit← Older edit Latest revision as of 13:40, 17 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators216 editsm Tag: Visual edit Line 1: Line 1: {{CJEUdecisionBOX |Case_Number_Name=C-311\u002F18 Facebook Ireland and Schrems |ECLI=ECLI:EU:C:2020:559 |Opinion_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=221826&doclang=en |Judgement_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=228677&doclang=en |Date_Decided=16.07.2020 |Year=2020 |GDPR_Article_1=Article 2(2) GDPR |GDPR_Article_Link_1=Article 2 GDPR#2 |GDPR_Article_2=Article 45 GDPR |GDPR_Article_Link_2=Article 45 GDPR |GDPR_Article_3=Article 46 GDPR |GDPR_Article_Link_3=Article 46 GDPR |GDPR_Article_4=Article 58 GDPR |GDPR_Article_Link_4=Article 58 GDPR |EU_Law_Name_1=Charter of Fundamental Rights of the European Union |EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:12012P\u002FTXT |EU_Law_Name_2=Decision 2010\u002F87\u002FEU |EU_Law_Link_2=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=celex%3A32010D0087 |EU_Law_Name_3=Decision (EU) 2016\u002F1250 |EU_Law_Link_3=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG |Party_Name_1=Data Protection Commission |Party_Link_1=https:\u002F\u002Fwww.dataprotection.ie\u002F |Party_Name_2=Facebook Ireland |Party_Link_2=https:\u002F\u002Fwww.facebook.com |Party_Name_3=Maximillian Schrems |Party_Link_3=https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMax_Schrems |Party_Name_4= |Party_Link_4= |Party_Name_5= |Party_Link_5= |Reference_Body=High Court (Ireland) |Reference_Case_Number_Name= |Initial_Contributor=Isabel Hahn }}{{CJEUdecisionBOX |Case_Number_Name=C-311\u002F18 Facebook Ireland and Schrems |ECLI=ECLI:EU:C:2020:559 |Opinion_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=221826&doclang=en |Judgement_Link=https:\u002F\u002Fcuria.europa.eu\u002Fjuris\u002Fdocument\u002Fdocument.jsf?docid=228677&doclang=en |Date_Decided=16.07.2020 |Year=2020 |GDPR_Article_1=Article 2(2) GDPR |GDPR_Article_Link_1=Article 2 GDPR#2 |GDPR_Article_2=Article 45 GDPR |GDPR_Article_Link_2=Article 45 GDPR |GDPR_Article_3=Article 46 GDPR |GDPR_Article_Link_3=Article 46 GDPR |GDPR_Article_4=Article 58 GDPR |GDPR_Article_Link_4=Article 58 GDPR |EU_Law_Name_1=7 CFR |EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Ftreaty\u002Fchar_2012\u002Foj |EU_Law_Name_2=Decision 2010\u002F87\u002FEU |EU_Law_Link_2=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=celex%3A32010D0087 |EU_Law_Name_3=Decision (EU) 2016\u002F1250 |EU_Law_Link_3=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG |Party_Name_1=Data Protection Commission |Party_Link_1=https:\u002F\u002Fwww.dataprotection.ie\u002F |Party_Name_2=Facebook Ireland |Party_Link_2=https:\u002F\u002Fwww.facebook.com |Party_Name_3=Maximillian Schrems |Party_Link_3=https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMax_Schrems |Party_Name_4= |Party_Link_4= |Party_Name_5= |Party_Link_5= |Reference_Body=High Court (Ireland) |Reference_Case_Number_Name= |Initial_Contributor=Isabel Hahn |EU_Law_Name_4=8 CFR|EU_Law_Link_4=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Ftreaty\u002Fchar_2012\u002Foj|EU_Law_Name_5=47 CFR|EU_Law_Link_5=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Ftreaty\u002Fchar_2012\u002Foj}} The Court of Justice of the European Union (CJEU) invalidated Commission Decision 2016\u002F1250 (the EU-US Privacy Shield), but affirmed the validity of standard contractual clauses (SCCs), providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens.The Court of Justice of the European Union (CJEU) invalidated Commission Decision 2016\u002F1250 (the EU-US Privacy Shield), but affirmed the validity of standard contractual clauses (SCCs), providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens. Line 10: Line 10: In its judgment on October 6th 2015 (Case C-362\u002F14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be \"adequate\", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC.In its judgment on October 6th 2015 (Case C-362\u002F14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be \"adequate\", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC. In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Articles 7, 8, and 47 of the Charter. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought proceedings before the High Court. On May 4th 2018 the High Court made the reference for a (second) preliminary ruling to the CJEU. In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Article 7 CFR, Article 8 CFR, and Article 47 CFR. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought proceedings before the High Court. On May 4th 2018 the High Court made the reference for a (second) preliminary ruling to the CJEU. In its reference to the CJEU, the High Court specified that Section 702 of the FISA permitted the Attorney General and the Director of National Intelligence to authorize jointly, following FISA approval, the surveillance of individuals who are not US citizens and who are located outside of the US in order to obtain foreign intelligence information. It was also affirmed that Section 702 of the FISA provided the basis for the PRISM and UPSTREAM surveillance programs. PRISM in particular, requires Internet Service Providers (ISPs) to supply the NSA with all communications to and from a ‘selector’. UPSTREAM on the other hand, permitted the NSA to copy and filter Internet traffic flows from the ‘backbone’ of the internet, granting it access to both the content of communications and their metadata. Furthermore, the High Court had found that Executive Order 12.333 (E.O. 12333) allowed the NSA to access data in transit by accessing underwater cab","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CJEU_-_C-311\u002F18_-_Facebook_Ireland_and_Schrems&diff=52401&oldid=43871","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F8\u002F87\u002FCjeulogo.png","2026-07-17T13:40:11+00:00","2026-07-17T14:00:18.437404+00:00",9,[18,21,24,27,29,32],{"name":19,"type":20},"Meta (Facebook)","vendor",{"name":22,"type":23},"Facebook","product",{"name":25,"type":26},"Standard Contractual Clauses (SCCs)","technology",{"name":28,"type":26},"FISA Section 702",{"name":30,"type":31},"PRISM","campaign",{"name":33,"type":31},"UPSTREAM","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":34,"icon":36,"name":37,"slug":38},null,"GDPR","gdpr",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]