Glossary · EU Data Transfer Law Schrems I (Schrems v. Data Protection Commissioner (Case C-362/14, 2015))
2015 CJEU ruling that invalidated the US-EU Safe Harbor framework after Edward Snowden's revelations, finding that US surveillance laws prevented adequate protection of EU personal data.
## What Schrems I actually was
Schrems I is shorthand for the 2015 ruling **Schrems v. Data Protection Commissioner (Case C-362/14)** by the Court of Justice of the European Union (CJEU). The court invalidated the **US-EU Safe Harbor framework** — the data transfer mechanism that, since 2000, had allowed US companies to receive EU personal data by self-certifying compliance with EU privacy standards.
The case was brought by Austrian privacy activist **Maximilian Schrems**, whose challenge to Facebook's transfer of his personal data to the US triggered the ruling.
## The historical context
In **June 2013**, NSA contractor **Edward Snowden** leaked documents revealing mass US surveillance of communications data, including through programs like PRISM that obtained data from major US tech companies.
Schrems' argument was straightforward: the Safe Harbor framework assumed adequate US protection of EU data, but Snowden's revelations made clear that US surveillance laws (FISA Section 702, Executive Order 12333) provided no meaningful protection for non-US persons. Therefore Safe Harbor's foundation was false.
The CJEU agreed.
## What the CJEU actually ruled
The October 2015 ruling found that:
1. The European Commission's Safe Harbor adequacy decision was **invalid**
2. National data protection authorities have **independent power** to investigate transfer claims even when an adequacy decision exists
3. EU data subjects must have **effective judicial remedy** for surveillance access — which US law did not provide
4. Surveillance access must be **proportionate** — US programs that collected data in bulk were not
The ruling struck down Safe Harbor immediately, creating chaos for the thousands of US companies relying on it for EU data transfers.
## What followed Schrems I
### Privacy Shield (2016)
The EU and US negotiated a successor framework: **Privacy Shield**. It tightened some Safe Harbor provisions (Ombudsperson role, written commitments from US intelligence agencies on access limits). Came into force July 2016.
### Schrems II (2020)
Schrems challenged Privacy Shield on the same grounds. The CJEU ruled in **Schrems II (Case C-311/18, 2020)** that Privacy Shield was *also* invalid because the same fundamental issue persisted: US surveillance law provided inadequate protection.
See [Schrems II](/en/glossary/schrems-ii/) for the second case.
### EU-US Data Privacy Framework (2023)
After Schrems II, the EU and US negotiated yet another successor: the [EU-US Data Privacy Framework](/en/glossary/eu-us-data-privacy-framework/), which came into force July 2023. Schrems has indicated he intends to challenge this too on substantially similar grounds.
## Why Schrems I still matters
### 1. Established the legal pattern
Schrems I created the analytical framework still used: when EU data transfers depend on adequacy or equivalent mechanisms, those mechanisms must be evaluated against actual third-country surveillance laws — not against paper commitments.
### 2. Enabled GDPR enforcement
Schrems I established that data protection authorities have independent investigative power. This became important as GDPR took effect in 2018.
### 3. Created the structural problem
The structural issue Schrems I identified — that US surveillance laws cannot satisfy EU adequacy without legal reform — has persisted across three successive frameworks (Safe Harbor → Privacy Shield → EU-US DPF). Without US surveillance reform, this likely continues.
### 4. Shaped European tech industry
Schrems I, II, and the underlying tension created ongoing demand for EU-resident, EU-jurisdiction alternatives to US tech — much of what BetterInEurope catalogs.
## What Schrems I means in practice
For European businesses today:
### The chain of cases
When evaluating whether you can transfer personal data to US providers, you're navigating the chain that Schrems I started: Safe Harbor invalidated → Privacy Shield invalidated → EU-US DPF (current, vulnerable to challenge).
### The deeper question
Schrems I made clear that US-EU data transfer is fundamentally a question about US surveillance reform, not just paperwork. As long as FISA 702 and CLOUD Act exist, frameworks built on top remain structurally vulnerable.
### Why "EU-resident, EU-jurisdiction" matters
Companies that are genuinely European (not just EU-operating subsidiaries of US firms) avoid the entire Schrems-line problem. They are not subject to CLOUD Act or FISA 702.
## Practical implications
For most European tech buyers:
- **Schrems I is history**, but its consequences shape current decisions
- **EU-US DPF is current law**, but Schrems-line challenges are ongoing
- **Genuine European alternatives** sidestep the issue entirely
- **Transfer Impact Assessments** ([TIAs](/en/glossary/tia/)) are required when transfers continue
The simplest path to durable compliance is choosing providers where the question doesn't arise.
Was this helpful?
Thanks for your feedback!