Schrems Ruling I/II

Not many people have the honor of having landmark rulings of the European Court of Justice (ECJ) named after them. Only one person has a series of such rulings with a good chance of expansion.

The Schrems I and Schrems II judgments refer to the cases in which Maximilian Schrems, a data protection activist, challenged the validity and adequacy of the data transfer tools Safe Harbor and Privacy Shield under EU law. With success.

In both cases, The ECJ found that the respective mechanisms did not provide adequate protection against interference with individuals' privacy rights as guaranteed by EU law. The main grounds were that those transfer tools were meaningless because US companies are obliged at all times and without restriction to hand over personal data of EU data subjects to US intelligence agencies and law enforcement authorities, violating the Safe Harbor and Privacy Shield obligation. More bluntly: Those transfer tools were fine on paper but in practice not worth the electrons used to save them on a hard disk.

Not only are there far-reaching access rights for law enforcement and intelligence authorities under US law that are not (and cannot) secured by adequate measures to protect the rights of data subjects. There are also virtually no effective legal protection measures for the affected data subjects. Neither are they being informed about access to their personal data nor can they challenge such access in any meaningful way.