The Court of Justice has declared the EU-US Privacy Shield Decision invalid

Home / News / The Court of Justice has declared the EU-US Privacy Shield Decision invalid

The reason for raising the issue of protection of individuals regarding the processing of personal data was a new decision of the Court of Justice (CJEU) as of 16.07.2020. The proceeding is initiated between Data Protection Commission, on one hand, and Facebook Ireland Ltd and Mr. Maximillian Schrems, on the other.

The facts of the case

  • Since 2008, Mr. Schrems, an Austrian national residing in Austria, has been a user of the Facebook social network.
  • Any person residing in the European Union who wishes to use Facebook is required to conclude, at the time of his or her registration, a contract with Facebook Ireland, a subsidiary of Facebook Inc., which is itself established in the United States.
  • Some or all the personal data of Facebook Ireland’s users who reside in the European Union is transferred to servers belonging to Facebook Inc., that are located in the United States, where it undergoes processing.
  • On 25 June 2013, Mr. Schrems filed a complaint with the Commissioner whereby he requested, in essence, that Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that the law and practice in force in that country did not ensure adequate protection of personal data held its territory against the surveillance activities in which the public authorities were engaged.
  • This complaint was rejected on the ground that in the Decision 2000/520, the Commission had found that the United States ensured an adequate level of protection.
  • The High Court in Ireland, before which Mr. Schrems had brought judicial review proceedings against the rejection of his complaint, made a request to the Court for a preliminary ruling on the interpretation and validity of Decision 2000/520.
  • In a judgement of 6 October 2015, the Court declared that the decision is invalidated.
  • Facebook Ireland explained that a large part of personal data was transferred to Facebook Inc. pursuant to the standard data protection clauses. On that basis, the Commissioner asked Mr. Schrems to reformulate his complaint.
  • In his reformulated complaint lodged on 1 December 2015, Mr. Schrems claimed that the United States law requires Facebook Inc. to make the personal data transferred to it available to certain US authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).
  • The High Court provided a preliminary ruling decision handed down on 3 October 2017, in which it had set out the results of an examination of the evidence produced before it in the national proceedings, in which the US Government had participated.
  • The referring court stated that it is obliged to take into account any amendments which occurred between the institution of the proceedings and the hearing which it held. That court stated that, in the main proceedings, its own assessment is not confined to the ground of invalidity put forward by the Commissioner, as a result of which it may of its own motion decide that there are other well-founded grounds of invalidity and, on those grounds, refer questions for a preliminary ruling.

The High Court decided to stay the proceedings and to refer the following questions to the Court of Justice for the following preliminary rulings:

  • Does EU law apply to the transfer of the data by a private company from third country notwithstanding the provisions of Art 4(2) TEU in relation to national security and the provisions of Art. 3(2) of the Directive [95/46] in relation to public security, defense and State security?
  • In determining whether there is a violation of the rights of an individual through the transfer of data from the European Union, in relation to the national security, may be determined who is relevant comparator for the purposes of Directive [95/46]:
  • The Charter, the EU Treaty, the TFEU or the national laws of one or more Member States?
  • Ought the level of protection in the third country be assessed by reference to the applicable rules in the third country or the rules together with the administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non-judicial remedies as are in place in the third country?
  • Does the individual’s rights are violated under Art. 7 and 8[1] of the Charter, if the personal data is transferred from EU to USA?
  • Does the level of protection afforded by the United States respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter[2]?
  • What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Art. 26(4) of the Directive [95/46] and in particular Articles 25 and 26 read in the light of the Charter?
  • If it is made available to its security services for further processing the personal data transferred pursuant to the clauses, does it follow that those clauses do not provide sufficient guarantees as required by Article 26 (2) of Directive [95/46]?
  • If a third party data importer is subject to surveillance laws that in the view of a data protection authority conflict with the standard security clauses, is a data protection authority required to use its enforcement powers under Art. 28(3) of the Directive [95/46] to suspend data flows or can a data protection authority use its discretion not to suspend data flows?
  • For the purposes of Art. 25(6) of the Directive [95/46], does the decision constitutes that the US ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered?
  • Does the US provide a remedy to data subjects whose personal data is transferred to the US under the decision that is compatible with Art. 47 of the Charter?
  • Does the decision violate Art. 7,8 and/ or 47 of the Charter?

What does the CJEU resolve on the matter?

  • The answer of the first question is that the regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.
  • Second, third and sixth questions: the answer is that appropriate safeguards, enforceable rights and effective legal remedies must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by GDPR, read in the light of the Charter. The assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.
  • The answer of the Court by the eight question is that unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
  • The answer of the seventh and eleventh questions is that the examination of the decision in the light of Articles 7,8 and 47 of the Charter has disclosed nothing to affect the validity of that decision.
  • The answer of the forth, fifth, ninth and tenth questions is that by reason of its domestic law or its international commitments, the third country concerned in fact ensures a level of protection of fundamental rights, which is essentially equivalent to that guaranteed in the EU legal order.

The Court resolved that in finding that the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in that third country under the EU-US Privacy Shield, the Commission disregarded the requirements of Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter. It follows that Article 1 of the Privacy Shield Decision is incompatible with Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter, and is therefore invalid. Since Article 1 of the Privacy Shield Decision is inseparable from Articles 2 and 6 of, and the annexes to, that decision, its invalidity affects the validity of the decision in its entirety. In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid.

As to whether it is appropriate to maintain the effects of that decision for the purposes of avoiding the creation of a legal vacuum, the Court notes that, in any event, in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.


[1] According to Article 7 of the Charter of the Fundamental Rights, everyone has the right to respect for his or her private and family life, home, and communications. Article 8 of the Charter presents that everyone has the right to the protection of personal data concerning him or her

[2] According to Article 47 of the Charter, everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article.

The news above is for information purposes only. It is not a (binding) legal advice. For a thorough understanding of the subjects covered and prior acting on any issue discussed we kindly recommend Readers consult Ilieva, Voutcheva & Co. Law Firm attorneys at law.