Data Protection Commission – CJEU Judgment (Ireland, 2020)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled on a case involving Facebook and data transfers to the U.S. It decided that the previous agreement allowing these transfers was invalid because it did not provide enough protection for users' data. This ruling is significant as it affects how companies handle personal data across borders.
What happened
The Court ruled that Facebook's transfer of user data to the U.S. was not protected under the invalidated Safe Harbor agreement.
Who was affected
Maximillian Schrems, an Austrian Facebook user, whose data was transferred to the U.S.
What the authority found
The Court held that the level of data protection in the U.S. was not equivalent to that in the EU, invalidating the Safe Harbor agreement.
Why this matters
This ruling sets a precedent for stricter scrutiny of international data transfers. Companies must ensure they comply with data protection standards when transferring user data outside the EU.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Maximillian Schrems, an Austrian citizen, had been a Facebook user since 2008. As is the case with users residing in the European Union, some of the data belonging to Mr. Schrems had been transferred by Facebook Ireland to its servers belonging to Facebook Inc., located in the United States. In 2013, Mr. Schrems complained to the Irish Data Protection Commissioner (DPC) seeking to prohibit these transfers. When this complaint was rejected, he brought an action against the decision before the Irish High Court, which in turn referred a number of questions to the CJEU, the most prominent of which was whether the EU-US adequacy decision, the so-called “Safe Harbor", was valid. In its judgment on October 6th 2015 (Case C-362/14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be "adequate", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC. In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Articles 7, 8, and 47 of the Charter. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought pro
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (1)
Other cases involving Data Protection Commission in IE
Details
About this data
Cite as: Cookie Fines. Data Protection Commission - Ireland (2020). Retrieved from cookiefines.eu
Last updated: