Institutionalizing personal data protection in times of institutional distrust: the Schrems Case

Abstract

The case discussed here is the result of the actions of two individuals, EdwardSnowden and Maximilian Schrems. In 2013, Snowden exposed severalprograms, run by United States (US) intelligence agencies, capable ofcollecting, storing, and analysing personal data of both US citizens and otherson an unprecedented scale. These revelations severely shook the trust ofEuropean citizens in the online activities of governments. The outrage did notimmediately lead to legal action from the EU, but the Commission did initiatea review of Safe Harbour, the Commission decision under which personaldata can be transferred from the EU to the US.1 Using the information releasedby Snowden, Mr Schrems, an Austrian, lodged a complaint with the Irish DataProtection Commissioner about the transfers of his personal data by FacebookIreland ltd to the US under the Safe Harbour decision, Commission Decision2000/520. [First lines]