European Court of Justice, Schrems v. Data Protection Commissioner, C-362/14

(1) Maximillian Schrems, an Austrian citizen and Facebook user, lodged a complaint with the Irish Data Protection Commissioner saying that in light of Edward Snowden's revelations concerning the activities of the United States intelligence services, the law and practice of the United States did not offer adequate protection against surveillance by public authorities of the data transferred to that country. In this case, data provided to Facebook’s Irish subsidiary is transferred to servers located in the United States.

(2) The Court found that European data was not sufficiently protected in the United States and invalidated the Commission Decision 2000/520/EC that created the transatlantic U.S.-EU Safe Harbor agreement. The EU-US Safe Harbor agreement had been in place for 15 years and enabled U.S. companies to transfer data from Europe to the United States merely by self-certifying that they would comply with EU data protection standards. The Court held that even if the U.S. companies involved were taking adequate protection measures, U.S. public authorities are not subject to the Safe Harbor guidelines and therefore European citizens’ data and privacy was at risk to U.S. government surveillance. see also Global FoE