Court of Justice of the European Union
PRESS RELEASE No 117/15
Luxembourg, 6 October 2015
Press and Information
Judgment in Case C-362/14
Maximillian Schrems v Data Protection Commissioner
The Court of Justice declares that the Commission’s US Safe Harbour Decision is
Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is
lodged with the national supervisory authorities they may, even where the Commission has
adopted a decision finding that a third country affords an adequate level of protection of personal
data, examine whether the transfer of a person’s data to the third country complies with the
requirements of the EU legislation on the protection of that data and, in the same way as the
person concerned, bring the matter before the national courts, in order that the national courts
make a reference for a preliminary ruling for the purpose of examination of that decision’s validity
The Data Protection Directive1 provides that the transfer of personal data to a third country may, in
principle, take place only if that third country ensures an adequate level of protection of the data.
The directive also provides that the Commission may find that a third country ensures an adequate
level of protection by reason of its domestic law or its international commitments. Finally, the
directive provides that each Member State is to designate one or more public authorities
responsible for monitoring the application within its territory of the national provisions adopted on
the basis of the directive (‘national supervisory authorities’).
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case
with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to
Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States,
where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data
Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by
Edward Snowden concerning the activities of the United States intelligence services (in particular
the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer
sufficient protection against surveillance by the public authorities of the data transferred to that
country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of
26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United
States ensures an adequate level of protection of the personal data transferred (the Safe Harbour
The High Court of Ireland, before which the case has been brought, wishes to ascertain whether
that Commission decision has the effect of preventing a national supervisory authority from
investigating a complaint alleging that the third country does not ensure an adequate level of
protection and, where appropriate, from suspending the contested transfer of data.
In today’s judgment, the Court of Justice holds that the existence of a Commission decision
finding that a third country ensures an adequate level of protection of the personal data transferred
cannot eliminate or even reduce the powers available to the national supervisory authorities
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of
the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently
asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
The safe harbour scheme includes a series of principles concerning the protection of personal data to which United
States undertakings may subscribe voluntarily.