Author: Gungun Sharma, BMS College Of Law

The 2020 judgment of the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (popularly referred to as Schrems II) has become a cornerstone in international data protection jurisprudence. The ruling invalidated the EU–US Privacy Shield framework, which had governed transatlantic data transfers, while upholding the validity of Standard Contractual Clauses (SCCs) subject to stringent conditions.

At its core, the case tested the balance between economic interests in free data flows and the fundamental rights to privacy and data protection under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The CJEU’s ruling reshaped not only EU–US relations but also the broader landscape of global data governance.

Parties Involved:

Plaintiff/Complainant: Maximillian Schrems, Austrian privacy advocate and lawyer.

Respondents: Facebook Ireland Ltd. (data exporter), and the Irish Data Protection Commissioner (DPC).

Relevant Facts:

Schrems filed a complaint before the DPC in 2015, challenging Facebook Ireland’s transfers of personal data to the United States, where they were processed on servers governed by U.S. surveillance laws. His core argument was that U.S. surveillance practices, notably under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, allowed disproportionate access to data, thereby undermining EU citizens’ rights.

Procedural History:

In Schrems I (2015), the CJEU invalidated the “Safe Harbor” framework,citing insufficient safeguards against U.S. surveillance programs revealed by Edward Snowden in 2013.

The EU and U.S. responded with the Privacy Shield (2016), offering a replacement framework.

Schrems contended that the Privacy Shield did not resolve the deficiencies identified in Schrems I and also challenged the sufficiency of SCCs.

The Irish High Court referred the matter to the CJEU for a preliminary ruling.

The central legal issues before the court were:

Validity of the Privacy Shield Framework: Did the Privacy Shield ensure an adequate level of protection for EU citizens’ data as required under Article 45 of the General Data Protection Regulation (GDPR)?

Validity of SCCs as a Transfer Mechanism: Could SCCs provide sufficient safeguards under Article 46 GDPR when transferring personal data to jurisdictions lacking an adequacy decision?

Significance of Issues: These issues mattered not only for EU–US data flows but for all international transfers where the recipient country does not enjoy adequacy status. The judgment thus had far-reaching implications for global digital commerce and privacy regulation.

Holding:

The CJEU invalidated the EU–US Privacy Shield adequacy decision, declaring it inconsistent with EU law.

The SCCs were upheld as valid, but their use required supplementary measures and case-by-case assessments.

Rationale:

Disproportionate surveillance: U.S. surveillance laws were not “limited to what is strictly necessary and proportionate,” contrary to EU standards.¹

Lack of effective remedies: The Privacy Shield’s Ombudsperson mechanism was deemed neither independent nor capable of providing judicial redress, violating Article 47 of the Charter.

Conditional validity of SCCs: SCCs remained a lawful mechanism, provided exporters ensured “essential equivalence” of protection in the importing country.³

Legal Reasoning

Majority Opinion:The CJEU emphasized that international transfers cannot diminish the high level of data protection guaranteed within the EU. Adequacy decisions and contractual safeguards must operate in harmony with the Charter of Fundamental Rights.

Key Provisions and Precedents:

GDPR: Article 45 (adequacy decisions) and Article 46 (appropriate safeguards).

EU Charter: Article 7 (privacy), Article 8 (data protection), Article 47 (effective remedy).

Schrems I (2015): Invalidated Safe Harbor for failing to ensure equivalent protections.

Notable Aspect:The judgment contained no dissenting opinions. The unanimity reflected the CJEU’s strong commitment to fundamental rights.

Legal Precedent:The ruling established that adequacy assessments require a substantive evaluation of third-country laws, not just assurances. Supervisory authorities must suspend transfers where adequate protection cannot be ensured.

Social and Political Impact:

For Businesses: Companies reliant on the Privacy Shield faced immediate disruption, forcing them to shift to SCCs and conduct Transfer Impact Assessments (TIAs).

For EU–US Relations: The decision led to negotiations for the EU–US Data Privacy Framework (DPF), adopted in 2023.

Global Implications: The principles extended to other jurisdictions, compelling countries like India and Brazil to reform surveillance laws to secure adequacy with the EU.

The Schrems II judgment reflects the CJEU’s resolute prioritization of privacy as a non-negotiable fundamental right. The decision underscores that contractual safeguards cannot compensate for systemic deficiencies in a third country’s legal framework.

Strengths:

Reinforces the EU’s role as a global leader in privacy regulation.

Empowers individuals by insisting on effective remedies.

Pressures governments, especially the U.S., to reform surveillance laws.

Weaknesses:

Imposed heavy compliance burdens, particularly on SMEs with limited resources.

Created uncertainty by invalidating the Privacy Shield without a clear transitional framework.

Provided limited clarity on what supplementary measures (e.g., encryption) would suffice.

Alternative Outcomes:A more pragmatic approach could have been to uphold the Privacy Shield with enhanced safeguards, reducing disruption for businesses. However, such a compromise might have diluted the EU’s rights-based framework, undermining the principle of “essential equivalence.

The Schrems II ruling is a landmark in digital rights, cementing the EU’s position that privacy and data protection cannot be subordinated to economic or political expediency. While it caused immediate disruption, the decision elevated global standards of privacy by compelling stronger safeguards for data transfers.

Its enduring legacy lies in highlighting the limits of contractual mechanisms like SCCs and emphasizing the need for systemic legal reforms in third countries. The ruling represents a critical juncture in the evolving tension between data sovereignty, surveillance, and the free flow of information in the digital economy.

1. Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (Schrems II), Judgment of July 16, 2020, ECLI:EU:C:2020:559.

2. Charter of Fundamental Rights of the European Union, 2012 O.J. C 326/391.

3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), 2016 O.J. L 119/1.

4. EY Global, How Regulatory Response to Schrems II Affects Global Organizations (2021).

5. Computer Weekly, European Court Upholds EU–US Data Privacy Framework Data Sharing Agreement (Sept. 2025).