June 2013: The Guardian reveals the NSA’s Prism program, a vast surveillance operation involving direct access to the systems of Google, Facebook, Apple and other US internet giants. Schrems files his 23rd complaint, about the program.June 2014: A judicial review of Schrems’ complaint fails in the Irish high court, where the judge, Desmond Hogan, said that only the naive or credulous could have been surprised by the Snowden exposé. But Hogan passes the foundational question, about the Safe Harbour agreement, on to the European court of justice.July 2014: Schrems withdraws all but the Prism complaint, and decides to focus attention and funding on pursuing a judicial review.
August 2014: Schrems launches a class action suit against Facebook, capping participation at 25,000 members.March 2015: The CJEU begins considering the case.October 2015: In a surprise move, the court of justice rules in Schrems’ favour, and declares that the Safe Harbour agreement is invalid given the NSA’s snooping. Prism, the court rules, “enables interference, by United States public authorities, with the fundamental rights of persons”.
November 2015: Facebook Ireland uses a “standard contractual clause” in its agreement with Facebook’s HQ to continue the internal data transfer. The contract requires US to follow European law when processing the data of European citizens.July 2016: The EU agrees the EU-US Privacy Shield, an all-encompassing replacement for the Safe Harbour, which again attempts to ensure that European citizens’ data is safe from US government interference, in order to resume free transfer of data across the Atlantic.
June 2018: Schrems files his second case against Facebook Ireland, arguing that the standard contractual clauses and the EU-US Privacy Shield are invalid, as they do not fully protect citizens’ rights.
December 2019: The advocate general of the CJEU delivered a preliminary opinion that standard contractual clauses were likely to be valid, and raised questions over whether the Privacy Shield could be valid given the impacts of US surveillance.
July 2020: The CJEU rules, upholding standard contractual clauses in general but striking down the privacy shield, arguing that the US still does not limit surveillance of EU citizens to that which is “strictly necessary”.