Victory for data protection: "Privacy Shield" overridden

© Andrey Popov – stock.adobe.com

Max Schrems against Facebook – this dispute over data protection standards has been going on for years. The lawyer has already brought down an important agreement for data transfers. Now the next follows. However, user data from EU citizens can still get to the USA.


The European Court of Justice has overturned the EU-US data protection agreement “Privacy Shield”. In the legal dispute between Austrian lawyer Max Schrems and Facebook, however, the Luxembourg judges stated that user data from EU citizens can still be transferred to the United States and other countries based on standard contractual clauses.

The background is a complaint by data protection activist Schrems. The Austrian lawyer had complained to the Irish data protection authority that Facebook Ireland forwards its data to the parent company in the USA. He justified his complaint by saying that Facebook in the United States was obliged to make data available to US authorities such as the NSA and the FBI – without the victims being able to take action against it. An Irish court would like to know from the ECJ whether the so-called standard contractual clauses and the EU-US data protection agreement “Privacy Shield” are compatible with the European level of data protection.

The Luxembourg judges now declared the “Privacy Shield” invalid. With regard to the access options of the US authorities, the data protection requirements are not guaranteed. In addition, legal protection for those affected is insufficient.

The core of the standard contractual clauses is to provide guarantees that the data of EU citizens are adequately protected even when transferred from the EU abroad. The “Privacy Shield” is another channel that is only available for data transfer to the USA.

Schrems said in a first reaction that he was very happy with the verdict. “At first glance, the Court seems to have followed us in all aspects. This is a total blow to the Irish data protection agency DPC and Facebook. It is clear that the US must seriously change its surveillance laws if US companies want to continue to play a role in the EU market. ”

At Schrems’ operation, the CJEU had already criticized the predecessor of the “Privacy Shield”, the Safe Harbor regulation, in 2015 because it did not adequately protect the data of European citizens against access by the US authorities. The revelations of whistleblower Edward Snowden in 2013 regarding widespread Internet surveillance by US secret services also played an important role in this assessment. However, Facebook does not rely on the “Privacy Shield” when transferring the data from Europe to the USA, but on the

Image source:

  • Judgment: © Andrey Popov – stock.adobe.com


Leave a Reply

Your email address will not be published. Required fields are marked *