Court of Justice of the European Union
PRESS RELEASE No 91/20
Luxembourg, 16 July 2020
Press and Information
Judgment in Case C-311/18
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
The Court of Justice invalidates Decision 2016/1250 on the adequacy of the
protection provided by the EU-US Data Protection Shield
However, it considers that Commission Decision 2010/87 on standard contractual clauses for the
transfer of personal data to processors established in third countries is valid.
The General Data Protection Regulation1 (‘the GDPR’) provides that the transfer of such data to a
third country may, in principle, take place only if the third country in question ensures an adequate
level of data protection. According to the GDPR, the Commission may find that a third country
ensures, by reason of its domestic law or its international commitments, an adequate level of
protection.2 In the absence of an adequacy decision, such transfer may take place only if the
personal data exporter established in the EU has provided appropriate safeguards, which may
arise, in particular, from standard data protection clauses adopted by the Commission, and if data
subjects have enforceable rights and effective legal remedies.3 Furthermore, the GDPR details the
conditions under which such a transfer may take place in the absence of an adequacy decision or
Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since
2008. As in the case of other users residing in the European Union, some or all of Mr Schrems’s
personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are
located in the United States, where it undergoes processing. Mr Schrems lodged a complaint with
the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the
law and practices in the United States do not offer sufficient protection against access by the public
authorities to the data transferred to that country. That complaint was rejected on the ground, inter
alia, that, in Decision 2000/5205 (‘the Safe Harbour Decision’), the Commission had found that the
United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015,
the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary
ruling, declared that decision invalid (‘the Schrems I judgment’).6
Following the Schrems I judgment and the subsequent annulment by the referring court of the
decision rejecting Mr Schrems’s complaint, the Irish supervisory authority asked Mr Schrems to
reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was
invalid. In his reformulated complaint, Mr Schrems claims that the United States does not offer
sufficient protection of data transferred to that country. He seeks the suspension or prohibition of
future transfers of his personal data from the EU to the United States, which Facebook Ireland now
carries out pursuant to the standard data protection clauses set out in the Annex to Decision
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (OJ 2016 L 119, p. 1).
2 Article 45 of the GDPR.
3 Article 46(1) and (2)(c) of the GDPR.
4 Article 49 of the GDPR.
5 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on
the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions
issued by the US Department of Commerce (OJ 2000 p.7).
6 Case:C-362/14 Schrems see also Press Release No. 117/15.