The Court of Justice of the European Union (CJEU) has in a ruling on 6 October 2015 – Maximillian Schrems versus the Data Protection Commissioner ¹, declared the decision by
the European Commission on the adequacy of US Safe Harbor ², to be invalid.
The case concerns a complaint from Maximillian Schrems, an Austrian citizen, to the Irish Data Protection Commissioner regarding Facebook’s transfer of personal data from the EU to the US. The personal data of Facebook users within the EU is collected by Facebook’s subsidiary in Ireland and then transferred to servers hosted by Facebook’s US entity. The transfer is conducted on the basis of Facebook US Safe Harbor certification. Mr Schrems argued that the US and the Safe Harbor regime did not offer an adequate level of protection for the personal data of EU citizens as the US authorities could get hold of the personal data for non-specific surveillance and monitoring operations – this in light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services, in particular the NSA. The Irish authority rejected the complaint. The High Court of Ireland, before which the case was brought, asked the CJEU for a preliminary ruling.