Today Marks 10 Years Since the Landmark Schrems Ruling: A Decade of Transformation in EU-US Data Transfers

Today, October 6, 2025, marks the tenth anniversary of one of the most consequential data protection rulings in European jurisprudence: the Court of Justice of the European Union's decision in Maximillian Schrems v Data Protection Commissioner (Case C-362/14). On this day in 2015, the CJEU declared the Commission's Safe Harbour Decision invalid, fundamentally reshaping the landscape for transatlantic data flows and affirming that national data protection authorities retain independent oversight powers even where the European Commission has issued an adequacy finding. A decade later, the principles established in this landmark judgment continue to influence international data transfer mechanisms and define the boundaries of permissible government surveillance in the digital age.

Background

The Safe Harbour Framework

Under Directive 95/46/EC (the Data Protection Directive), transfers of personal data to third countries could only proceed where the destination country ensured an "adequate level of protection." In July 2000, the European Commission adopted Decision 2000/520/EC, finding that the United States provided adequate protection through its Safe Harbour scheme—a voluntary framework of privacy principles to which US companies could self-certify.

The Snowden Revelations and Mr. Schrems' Complaint

Maximillian Schrems, an Austrian citizen and Facebook user since 2008, lodged a complaint with the Irish Data Protection Commissioner in 2013 following Edward Snowden's revelations about mass surveillance programs conducted by US intelligence agencies, particularly the National Security Agency (NSA). Mr. Schrems argued that US law and practice failed to provide sufficient protection against government surveillance of personal data transferred from the EU to US servers operated by Facebook.

The Irish supervisory authority rejected the complaint, citing the Commission's Safe Harbour Decision as determinative. Mr. Schrems challenged this dismissal before the High Court of Ireland, which referred questions to the CJEU concerning whether the Commission's adequacy decision precluded national authorities from examining individual complaints about data protection standards in third countries.

Decision and Legal Reasoning

National Supervisory Authority Powers

The CJEU held that the existence of a Commission adequacy decision cannot eliminate or reduce the powers of national supervisory authorities under the Charter of Fundamental Rights and the Data Protection Directive. The Court emphasized that national authorities must retain the ability to examine, with complete independence, whether data transfers comply with EU requirements—even where the Commission has issued a favorable adequacy determination.

However, the Court clarified an important jurisdictional limit: while national authorities may investigate complaints and express doubts about a Commission decision's validity, only the CJEU has jurisdiction to formally declare an EU act invalid. Consequently, where national authorities or complainants question a Commission decision's validity, they must bring proceedings before national courts, which may then refer the matter to the CJEU through the preliminary reference procedure.

Invalidation of the Safe Harbour Decision

The Court then examined whether the Safe Harbour Decision itself was valid. The CJEU established that the Commission was required to find that the United States ensured "a level of protection of fundamental rights essentially equivalent" to that guaranteed within the EU under the Directive read in light of the Charter of Fundamental Rights.

The Court identified fatal deficiencies in the Safe Harbour framework:

• Scope Limitations: The scheme applied only to participating US companies, not to US public authorities. National security, public interest, and law enforcement requirements prevailed over Safe Harbour protections, requiring companies to disregard the scheme's protective rules when they conflicted with such requirements.
• Mass Surveillance Without Safeguards: Drawing on two Commission communications from November 2013, the Court found that US authorities could access and process personal data transferred from EU Member States in ways incompatible with the purposes for which it was transferred, exceeding what was strictly necessary and proportionate for national security protection. The Court held that legislation authorizing storage of all personal data on a generalized basis—without differentiation, limitation, or exception—could not satisfy the requirement of essential equivalence to EU fundamental rights protection.
• Absence of Judicial Remedies: The Court found that individuals had no administrative or judicial means to access, rectify, or erase their personal data held by US authorities. Legislation failing to provide such remedies compromised the essence of the fundamental right to effective judicial protection, a cornerstone of the rule of law.
• Ultra Vires Restriction of Supervisory Powers: The Safe Harbour Decision impermissibly denied national supervisory authorities their powers to examine complaints challenging the decision's compatibility with privacy and fundamental rights. The Commission lacked competence to restrict national authorities' oversight functions in this manner.

For these reasons, the Court declared Decision 2000/520/EC invalid, requiring the Irish Data Protection Commissioner to examine Mr. Schrems' complaint with due diligence and determine whether Facebook's data transfers to the United States should be suspended.

Implications

Immediate Impact on Transatlantic Data Flows

The Schrems judgment created immediate legal uncertainty for thousands of companies relying on Safe Harbour to legitimize EU-US data transfers. The invalidation left organizations scrambling to identify alternative transfer mechanisms under the Data Protection Directive, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), though subsequent developments would call even these mechanisms into question.

Empowerment of National Data Protection Authorities

The ruling significantly strengthened the role and independence of national supervisory authorities. By confirming their continuing competence to examine data transfers notwithstanding Commission adequacy decisions, the judgment reinforced the multi-layered enforcement architecture of EU data protection law and positioned data protection authorities as active guardians of fundamental rights rather than passive implementers of Commission determinations.

Elevation of Fundamental Rights Standards

The decision elevated the substantive standard for adequacy determinations. The "essentially equivalent" test established by the Court requires meaningful assessment of a third country's legal framework, including limitations on government surveillance powers and availability of effective remedies. This standard has proven demanding: the Court rejected blanket surveillance programs and emphasized that access to personal data must be subject to clear limitations, objective criteria, and independent oversight.

Catalyst for EU-US Privacy Shield and Beyond

The Schrems ruling prompted intensive negotiations between the EU and United States, culminating in the EU-US Privacy Shield framework adopted in July 2016. However, this successor arrangement would itself be invalidated by the CJEU in Schrems II (Case C-311/18) in July 2020 on grounds that US surveillance laws still failed to provide essentially equivalent protection. These developments underscore the judgment's enduring influence on the requirements for lawful international data transfers.

As we mark this tenth anniversary, the principles established in 2015 remain the cornerstone for evaluating the legitimacy of international data transfers in an increasingly interconnected yet surveillance-conscious world. The Schrems judgment endures as a touchstone for understanding the intersection of data protection, fundamental rights, and cross-border data flows in the digital age.