Data Protection Commissioner v. Facebook & Max Schrems (Irish High Court)

Top News


Data Protection Commissioner v. Facebook & Max Schrems is a follow up case to the landmark Court of Justice for the European Union (CJEU) ruling striking down the "Safe Harbor" arrangement for transferring personal data of EU consumers from the EU and the United States. This case, now before the CJEU, was brought originally by the Irish Data Protection Commissioner in Irish High Court. The case concerns whether transferring data to the United States using a different legal mechanism, "standard contractual clauses," violates the European Charter of Fundamental Rights.

In 2015, the Court of Justice for the European Union (CJEU) issued a ruling invalidating the "Safe Harbor", a legal mechanism for transferring EU consumers' personal data to the United States. Following the CJEU ruling, Mr. Schrems filed a renewed complaint with the Irish DPC based on Facebook’s use of “standard contractual clauses” to authorize EU-US data transfers, which provided the basis for a new case in the Irish High Court. Soon after the CJEU decision, the Irish High Court quashed the Irish DPC’s previous decision not to investigate Facebook Ireland regarding the allegations in Mr. Schrems’s first complaint. The Irish DPC then commenced an investigation. The Irish DPC considered two key issues: does the US provide adequate legal protection to EU users whose data is transferred, and, if not, could standard contractual clauses (SCCs) used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? Simultaneously, Mr. Schrems updated his complaint with the DPC against Facebook, and he contended that U.S. surveillance law is not in line with the requirements laid down by EU law including the judgment of the CJEU in the Safe Harbor decision. The CJEU found that the US must make changes to its “domestic laws” and “international commitments” in order to provide essentially equivalent privacy and data protection to the European Union. Additionally, Mr. Schrems argued the SCCs fail to provide the adequate legal protection necessary to otherwise permit data transfers.

In May of 2016, the Irish DPC issued a Draft Decision announcing its preliminary position: that US law fails to adequately provide legal remedies to EU citizens and the SCCs could not address the deficiency in US law. As a result, the Irish DPC suggested the contractual clauses at issue were invalid under EU law. However, the Irish DPC found that, as a representative of one nation in the EU with limited authority, it did not have the ability to declare the clauses invalid under EU law; the Irish DPC argued that standard contractual clauses issued under the broader authority of the European Commission had been deemed by that Commission to authorize data transfers. The Irish DPC argued that, without a finding that the clauses are indeed invalid, they cannot complete its investigation into Facebook.

As a result, the Irish DPC brought the case back before the Irish High Court and sought referral to the the CJEU on the question of whether the standard contractual clause decisions are valid under the Charter of Fundamental Rights. EPIC was designated the sole US amicus in that case and provided detailed submissions on US surveillance and privacy law.

The High Court referred the matter to the Court of Justice for the European Union on April 12, 2018.

EPIC’s Interest

The Irish High Court accepted EPIC's application to participate in the case as the only US privacy group, to provide a counterbalancing perspective on U.S. surveillance law to the views offered by the U.S. Government. EPIC has previously participated as an amicus before other international courts. For instance, EPIC joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

EPIC has taken a leading role in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for transatlantic data transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.

Legal Documents



Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security