This case has its roots in a complaint about personal data being transferred from Facebook Ireland Ltd. to its US parent company, and then being accessed by US state security agencies. The concerns arose in light of the disclosures by Edward Snowden regarding a program called "PRISM", which is said to be operated by the US National Security Agency (NSA).
On 25 June 2013, Maximilian Schrems issued a complaint to the Irish Data Protection Commissioner (DPC). In this complaint, Mr. Schrems challenged the validity of Facebook applying the Safe Harbour agreement, a legal instrument for EU/US data transfers approved by the EU Commission (EC). The DPC declined to investigate the complaint, as it was of the opinion to be bound by EU Law/EC decision to comply with the Safe Harbour agreement. Mr. Schrems appealed this decision before the Irish High Court and the high court then referred the following questions to the Court of Justice of the European Union (CJEU) for preliminary ruling. In essence, the following questions were asked:
(1) Whether a data protection authority (DPA) (in this case the DPC) in the course of investigating an individual's complaint that personal data is being transferred to another third country (in this case, the US), where laws and practices do not provide adequate protections for the individual, is absolutely bound by the Safe Harbour Decision of the EC, having regard to the provisions of Article 25(6) of Directive 95/46 and Articles 7, 8 and 47 of the European Charter of Fundamental Rights (ECFR)?
(2) Or, alternatively, may and/or must the DPA (in this case the DPC) conduct its own investigations of the matter, in light of factual developments in the meantime, since that EC decision was first published?
It was now up to the CJEU to determine whether, in light of Articles 7, 8 and 47 of the ECFR, the Safe Harbour agreement was binding on the DPC and if it was not prevented from investigating individual complaints related to an EC decision and legal instruments based on it.
On 6 October 2015, the CJEU ruled that national DPAs have the right to investigate individual complaints related to EC decisions and legal instruments based on these decisions, but also made very clear that only the CJEU is authorized to declare such a decision or instrument invalid.
That said, although not specifically referred for reliminary ruling by the high court, the CJEU declared the Safe Harbour agreement invalid. The main reason for this ruling appeared to be the fact that the CJEU was of the opinion that in adopting Article 3 of the Safe Harbour agreement, the EC exceeded its powers by making a shortcut on the adequacy procedure that should be followed according to Directive 95/46/EC.
Following the invalidity of the Safe Harbour agreement, the Privacy Shield mechanism was implemented in order to replace the Safe Harbour agreement and to function as an instrument for EU/US data transfer.
Migration from Safe Harbour to Privacy Shield
On 6 October 2015, the CJEU declared the Safe Harbour agreement invalid.
On 15 October 2015, the vice-president of the EC and two commissioners met with business and industry representatives who asked for a clear and uniform interpretation of the ruling and for more clarity on the instruments that could be used to transfer data after the Safe Harbour agreement was declared invalid.
The Article 29 Working Party (currently the European Data Protection Board (EDPB)), published a statement on 16 October 2015 on the consequences of the Schrems I case. The working party urged Member States to pursue negotiations on an agreement to replace the Safe Harbour agreement. However, they also suggested an informal grace period of three months during which the DPAs would not take enforcement action.
After this statement, on 6 November 2015 the EC issued guidance for companies regarding the different options of data transfer to the US, following the Schrems ruling, for the intermediate period until a new framework was put in place. In this guidance, the EC suggested three alternatives for transatlantic data transfer: Standard Contractual Clauses, Binding Corporate Rules and Transfer Derogations.
The EC already started discussions with the intention of improving the Safe Harbour agreement in 2014, however, after Safe Harbour was ruled invalid these efforts intensified. On 2 February 2016 the EU and US announced that they had reached an agreement. On 29 February 2016 the concept version of this agreement was published. After the publication, the European Data Protection Supervisor and the Article 29 Working Party submitted their advice on further development of this concept agreement.
Finally, on 8 July 2016 the Member States adopted the agreement, and on 12 July 2016 the Privacy Shield agreement was formally implemented and entered into force.