1. Schrems I (C-362/14) – Invalidating “Safe Harbor”

Court of Justice of the European Union (CJEU), 2015

Background

Maximillian Schrems, an Austrian privacy activist, challenged the transfer of Facebook user data from the EU to the United States. At that time, such transfers were based on the Safe Harbor Agreement, which assumed the US provided “adequate protection.”

Legal Issue

Whether the European Commission’s Safe Harbor decision was valid under EU law when US surveillance laws allowed broad access to EU citizens’ data.

Judgment

The CJEU invalidated the Safe Harbor framework.

Key Findings

• National security and mass surveillance in the US undermined “adequate protection.”
• EU fundamental rights (privacy and data protection) cannot be overridden by international agreements that do not ensure equivalent protection.
• National Data Protection Authorities (DPAs) retain power to investigate transfers even if a Commission decision exists.

Impact on research data transfers

• Research institutions relying on US cloud storage or analytics platforms had to reassess compliance.
• Forced shift toward alternative legal mechanisms like Standard Contractual Clauses (SCCs).

2. Schrems II (C-311/18) – Invalidating Privacy Shield

CJEU, 2020

Background

After Safe Harbor was invalidated, the EU–US Privacy Shield replaced it. Schrems again challenged Facebook’s data transfers to the US.

Legal Issue

Whether Privacy Shield and Standard Contractual Clauses provide adequate protection in light of US surveillance laws.

Judgment

• Privacy Shield was declared invalid.
• SCCs were upheld but with strict conditions.

Key Findings

• US surveillance laws (e.g., Section 702 FISA, Executive Order 12333) do not provide “essential equivalence” with EU rights.
• Data exporters must assess destination country laws before transferring data.
• Additional safeguards (encryption, pseudonymization) may be required.
• Supervisory authorities must suspend transfers if protection is insufficient.

Impact on research data transfers

• Major disruption for international clinical trials and academic collaborations involving US institutions.
• Researchers must conduct Transfer Impact Assessments (TIAs).
• Increased reliance on:
  • Encryption
  • Data minimization
  • EU-based data storage for sensitive datasets

3. Opinion 1/15 – EU–Canada Passenger Name Record (PNR) Agreement

CJEU, 2017

Background

The EU negotiated an agreement with Canada allowing transfer of airline passenger data (PNR data) for security purposes.

Legal Issue

Whether the agreement complied with EU fundamental rights standards.

Judgment

The CJEU rejected the draft agreement.

Key Findings

• Mass collection and retention of personal data must be strictly necessary and proportionate.
• Blanket transfer of sensitive data without clear safeguards violates privacy rights.
• Data retention periods and usage must be clearly limited.
• Individuals must have enforceable rights.

Impact on research data transfers

Although not purely a research case, it significantly influenced:

• The principle of data minimization in cross-border datasets
• Restrictions on bulk transfer of personal data in research databases
• Stronger safeguards in epidemiological and transport-related research datasets

4. Digital Rights Ireland (Joined Cases C-293/12 and C-594/12)

CJEU, 2014

Background

The case challenged the EU Data Retention Directive, which required telecom providers to store communications metadata.

Legal Issue

Whether indiscriminate data retention violates EU fundamental rights.

Judgment

The directive was invalidated.

Key Findings

• Blanket retention of all users’ communication data is disproportionate.
• Lack of clear safeguards for access and use violates privacy rights.
• Requires strict necessity-based limitation.

Impact on research data transfers

• Set foundational principle that bulk data collection is unlawful unless strictly necessary
• Affects large-scale research datasets derived from telecom or digital platforms
• Influenced ethical review standards for big-data research projects

5. Tele2 Sverige AB v Post- och telestyrelsen (C-203/15)

CJEU, 2016

Background

Follow-up to Digital Rights Ireland concerning national data retention laws in Sweden and the UK.

Legal Issue

Whether general and indiscriminate data retention at national level is allowed.

Judgment

The Court ruled it unlawful under EU law.

Key Findings

• Data retention must be targeted, not general.
• Access to retained data must be subject to prior review by a court or independent authority.
• Strong safeguards required against abuse.

Impact on research data transfers

• Reinforced principle of purpose limitation
• Research databases must avoid retaining identifiable data without justification
• Encouraged anonymisation/pseudonymisation in cross-border research datasets

6. Weltimmo Case (C-230/14)

CJEU, 2015

Background

A Slovak company operated a property advertising website targeting Hungarian users and processed their personal data.

Legal Issue

Which national data protection law applies when data processing spans multiple countries?

Judgment

• The law of the country where the company has “real and effective activity” applies.
• DPAs can act even if company is based abroad.

Key Findings

• Establishes “establishment principle” for cross-border data processing.
• Strengthens enforcement powers of national authorities.

Impact on research data transfers

• Important for multinational research institutions
• A university or lab may be subject to multiple jurisdictions depending on operational presence
• Encourages clarity in governance of international research collaborations

Overall Legal Principles Emerging from These Cases

Across all these cases, several core doctrines now govern international research data transfers:

1. Adequacy is strict, not symbolic

A foreign country must provide protection “essentially equivalent” to EU standards.

2. Bulk transfer is highly restricted

Mass or indiscriminate transfer of personal data is generally unlawful.

3. Exporter responsibility

Researchers or institutions transferring data must actively assess foreign legal risks.

4. Strong safeguards are mandatory

Encryption, anonymisation, and pseudonymisation are essential tools.

5. Fundamental rights override trade or convenience

Even large-scale research or security interests cannot override privacy rights without strict necessity.