Schrems I: The Ruling That Shook EU-US Data Transfers

Published in: International Data Transfers | Case Law Spotlight

In October 2015, the Court of Justice of the European Union (CJEU) issued a landmark judgment that changed the landscape of international data transfers. Known as the Schrems I ruling, the decision invalidated the EU-US Safe Harbour framework, a mechanism used by thousands of organisations to lawfully transfer personal data to the United States.

What Was the Schrems I Case About?

The case (C-362/14) began when Austrian privacy advocate Max Schrems filed a complaint with the Irish Data Protection Commissioner. He argued that the United States did not provide adequate protection for personal data, especially in light of revelations made by Edward Snowden about mass surveillance by US authorities, including the NSA.

At the time, data transfers between the EU and the US were permitted under the Safe Harbour agreement, a framework approved by the European Commission in 2000. Facebook Ireland, like many other organisations, relied on Safe Harbour to transfer EU user data to servers in the US.

The Court’s Judgment

On 6 October 2015, the CJEU ruled that the Safe Harbour decision was invalid.

The Court held that:

• Safe Harbour did not provide an essentially equivalent level of protection as required by EU data protection law.
• US national security and law enforcement interests overrode privacy rights and allowed public authorities to access EU data without clear limitations.
• EU citizens had no effective judicial remedy to challenge misuse of their data in the US.
• The decision restricted the powers of national supervisory authorities (like the Irish DPC), which was contrary to EU law.

As a result, the Safe Harbour framework was struck down with immediate effect. This ruling forced thousands of companies to reconsider how they handled cross-border data flows.

Why Schrems I Still Matters

This case wasn’t just about Facebook. Schrems I was a turning point for international data transfer governance. It established that:

• The European Commission’s adequacy decisions can be challenged and overturned.
• Surveillance practices and lack of judicial redress in third countries undermine adequacy.
• National regulators have a duty to act, even in the presence of a Commission decision.

Schrems I also set the stage for two major developments:

1. The creation of the EU-US Privacy Shield, which would later be invalidated in Schrems II (2020).
2. The increased use of Standard Contractual Clauses (SCCs) and the need for Transfer Impact Assessments (TIAs).

Key Takeaways for UK Organisations

Although this was an EU ruling, the implications still affect UK-based organisations under UK GDPR. Any UK company transferring personal data to the US (or other third countries) must ensure that:

• Transfers are based on lawful mechanisms (SCCs, IDTA, BCRs, etc.)
• Supplementary measures are considered, particularly when US surveillance risks apply
• They monitor adequacy rulings and legal developments in international data law

Need Help With Data Transfers?

Our consultancy team can support you with:

• Transfer Risk Assessments (TRAs)
• Advice Around Appropriate Safeguards
• International Compliance Strategy

Contact us to speak to a data protection expert or explore our international data transfer support.