An action spearheaded by Austrian law graduate and privacy campaigner, Max Schrems, has cast doubt over the future of Europe’s Safe Harbour Agreement with the USA.


Whilst studying law in California and writing a paper on privacy and Facebook, Schrems filed a subject access request against Facebook and received over 1,200 pages in response, including details he thought he had deleted and which he had not consented to being shared. The information was shared on Schrems’ website,, and resulted in a further 40,000 subject access requests being made.

Schrems filed a complaint with the Irish Data Protection Commissioner against Facebook Ireland Limited, the company's Irish subsidiary, which is responsible for all accounts belonging to users outside of North America (accounting for 80% of Facebook’s 1.35 billion users) and which is subject to European law. 

The complaint to the Commissioner for alleged breaches of EU privacy law, mass surveillance and involvement in the US National Security Agency’s Prism snooping analysis was dismissed by the Commissioner. 

The Commissioner was asked to investigate Facebook’s involvement in releasing email addresses and other private data of its European users to the NSA and the decided that there were no grounds for an investigation as Facebook’s data transfers were covered by the Safe Harbour agreement, which allows registered US companies to gather customer information in Europe and send it to the USA if the company can offer “adequate protection” for the data in the USA.

An application was made to the Irish High Court for judicial review of the Commissioner’s decision and the case was subsequently referred to the Court of Justice of the European Union where the first hearing was held on 24 March 2015 and a judgment is awaited. 

Simultaneously, Schrems is leading Europe’s largest data privacy law suit in Vienna, which sees 25,000 Facebook users suing the social network for breaches of data protection legislation, with a further 55,000 users registered to join the procedures at a later stage.


The decision of the CJEU may have significant implications for the future of the Safe Harbor Agreement and the data protection practices of many global, internet-based companies operating in Europe, including Apple, Google, Yahoo, Skype and Microsoft, who will be bound by the verdict.

Commentators speculate that the outcome of the judgment may range from a finding that the Safe Harbor system is invalid under EU law, to the introduction of an emergency provision to suspend data flows to individual companies in the US, with Schrems confident there is a very good chance of having the Safe Harbor agreement overturned. At the very least, however, it is expected that there will be a significant renegotiation of the Safe Harbor agreement between the EU and the USA.