Schrems I


Schrems I was a case that reached the European Court of Justice. Named after Max Schrems, it was based on the claim that, in the context of the NSA PRISM program, revealed to the public by Edward Snowden, US companies would not be able to guarantee adequate personal data protection. Therefore, it was ruled that, under the European Directive on Data Protection, it was not legal to do any personal data transfer between the EU and the US. This led to the invalidation of the Safe Harbor agreement and had serious implications on the activities of several companies.

What does Schrems I mean?

Schrems I is the generic name for a data-privacy-related court case at the ECJ. It is named after Max Schrems, an Austrian activist that filed a complaint against Facebook, arguing that the company could not ensure adequate measures of protection of his personal data, as they were being transferred from the EU to the United States.

The case started in 2013, in Ireland, the Facebook headquarters in Europe, with a complaint to the Irish Data Protection Commissioner. It was escalated and reached the ECJ in 2015, as Max Schrems was not happy with the response he received and went on to file a complaint against the Data protection Commisioner itself. The European Court ruled in favor of Schrems in October 2015.

What were the consequences of Schrems I ?

This meant that an entire transnational agreement between the EU and the US, called the Safe Harbor, was automatically invalidated. In practice, it was no longer possible to transfer the data of European citizens to the US, as it was ruled that the latter could not ensure adequate standards for privacy. This was in the context of the NSA PRISM scandal that showed that private data was being accessed by the US agency without any consent.

Therefore, all companies doing business that involved EU citizen data were no longer protected by the Safe Harbor, and, for some time, it was illegal for them to process personal data. This would have a big impact on several companies. Any company had to now consider whether simple processes like users accessing their websites could lead to their personal data (IP, location, other data stored in cookies) being illegally transferred to the US. This was the case if said websites were using US third party apps like, for example, Google Analytics.

Although the EU and the US worked on a subsequent agreement, called the Privacy Shield, this was also invalidated in 2020, after another complaint from the same man led to the Schrems II case.