Skip to content

In the long-awaited case ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the ECJ on 16 July 2020 ruled on whether standard contractual clauses (SCCs) are a legitimate way to transfer data to legal systems outside the EU in compliance with EU data protection law.The Basic Data Protection Regulation (DSGVO) stipulates that personal data may in principle only be transferred to a third country if the country in question guarantees an adequate level of protection for the data. According to Art. 45 DSGVO, the EU Commission can determine whether or not a third country guarantees an adequate level of protection on the basis of its national legislation or its international obligations. If there is no adequacy finding, the sufficient guarantees must be ensured by other means, such as the EU standard data protection clauses.Max Schrems, an Austrian citizen living in Austria, has been a Facebook user since 2008. His personal data is transmitted by Facebook Ireland, in whole or in part, to servers of Facebook Inc. in the USA and processed there. Mr. Schrems lodged a complaint with the Irish supervisory authority, the main aim of which was to have these transfers banned on the grounds that there was insufficient protection against access by the authorities (e.g. the NSA) to the data transferred there. His complaint was rejected by the Irish data protection authority on the grounds that the Commission, in its Decision 2000/5205 (the so-called “Safe Harbour Decision”), had found that the United States provided an adequate level of protection.By judgment of 6 October 2015 (Schrems I), the Court, following a reference for a preliminary ruling from the Irish High Court, annulled that decision. After reformulating his complaint, Max Schrems argued that the United States did not provide adequate protection for data transferred there and that the EU-US Privacy Shield should therefore be declared inappropriate. After escalation to the Irish High Court, the latter referred the validity of both the Decision 2010/87 on standard contractual clauses and the Privacy Shield Decision 2016/1250 to the ECJ