2.5 Sources of EU Law & Key CJEU Cases

Key Takeaways

  • EU law is layered into primary law (the founding Treaties and the Charter) and secondary law (Regulations, Directives, and Decisions adopted under the Treaties).
  • Google Spain (C-131/12, 2014) established the right to be delisted from search results, a precursor to the GDPR right to erasure under Article 17.
  • Schrems I (2015) invalidated the US Safe Harbor, and Schrems II (C-311/18, 2020) invalidated the Privacy Shield and tightened the conditions for using Standard Contractual Clauses.
  • Digital Rights Ireland (2014) struck down the Data Retention Directive for disproportionate interference with Charter Articles 7 and 8.
Last updated: June 2026

The Hierarchy of EU Law

Quick Answer: EU law splits into primary law (the founding Treaties plus the Charter of Fundamental Rights) and secondary law (Regulations, Directives, and Decisions). The GDPR is secondary law adopted under Article 16 TFEU, which is primary law. The CJEU interprets all of it, and a few landmark cases shape day-to-day compliance.

Domain I tests both the hierarchy and the leading case law, because exam scenarios frequently hinge on a principle a specific case established — for instance, whether a search engine is a controller, or whether a particular transfer mechanism is valid. A reliable rule of thumb: primary law trumps secondary law, so when a Regulation, Directive, or Commission Decision conflicts with the Charter, the CJEU can strike it down (as the Digital Rights Ireland and Schrems cases demonstrate). Treat case law as the lens through which the abstract hierarchy becomes testable scenarios.

Primary vs Secondary Law

LayerIncludesExamples
Primary lawFounding Treaties and the CharterTreaty on European Union (TEU); Treaty on the Functioning of the EU (TFEU, incl. Article 16, the data-protection legal basis); EU Charter of Fundamental Rights
Secondary lawActs adopted under the Treaties (Art. 288 TFEU)Regulations (e.g., GDPR); Directives (e.g., LED, ePrivacy); Decisions (e.g., adequacy decisions)

Article 288 TFEU also lists non-binding instruments — recommendations and opinions (the category EDPB guidance and former WP29 opinions fall into). Adequacy decisions — Commission findings that a third country offers an adequate level of protection (e.g., the EU-US Data Privacy Framework, Japan, the UK) — are a form of Decision and therefore secondary law; they can be challenged before the CJEU, as the Schrems litigation shows.

Worked example: a stem describes "a Commission act finding that Country X protects data adequately." That is an adequacy decision (a Decision, secondary law), not a Regulation and not primary law — and it is reviewable by the CJEU against the Charter.

Landmark Case: Google Spain (2014)

Google Spain SL v AEPD and Mario Costeja Gonzalez (Case C-131/12, 2014) is foundational. A Spanish citizen objected to outdated newspaper content (about a long-resolved debt and property auction) surfacing in Google search results when his name was searched. The CJEU held that:

  • A search engine operator is a controller in respect of the personal data it indexes and displays, even where the underlying publisher is also a controller.
  • Individuals can, under certain conditions, require a search engine to delist results — the so-called "right to be forgotten" (more precisely, a right to delisting).
  • This right is not absolute: it is balanced against the public interest in access to information, and the data subject's role in public life is relevant (a politician's old conduct may stay searchable; a private individual's may not).

Exam takeaways: (1) the ruling applied the 1995 Directive, not the GDPR, yet directly inspired the GDPR's right to erasure (Article 17); (2) delisting removes a result from name searches — it does not delete the source article itself. Both points are common distractors.

Landmark Cases: Schrems I & II

The two Schrems cases, brought by Austrian campaigner Max Schrems over Facebook's EU-US data transfers, reshaped international transfers (Domain III):

  • Schrems I (Case C-362/14, 2015) — invalidated the EU-US Safe Harbor framework, finding that indiscriminate US government surveillance access was incompatible with EU fundamental rights and that data protection authorities must be able to examine transfer complaints.
  • Schrems II (Case C-311/18, 2020) — invalidated Safe Harbor's replacement, the Privacy Shield. Crucially, it upheld Standard Contractual Clauses (SCCs) in principle but held that the exporter must verify, case by case, that the destination provides "essentially equivalent" protection, adding supplementary measures (technical, contractual, organizational) where the local law falls short — what practitioners call a Transfer Impact Assessment (TIA).
CaseYearMechanism affectedOutcome
Schrems I2015Safe HarborInvalidated
Schrems II2020Privacy Shield / SCCsPrivacy Shield invalidated; SCCs valid only with TIA + safeguards

The practical, heavily-tested takeaway: signing SCCs is not enough — you must assess the importer's legal environment. The 2023 EU-US Data Privacy Framework later replaced the Privacy Shield via a fresh adequacy decision.

Landmark Case: Digital Rights Ireland (2014)

Digital Rights Ireland (Joined Cases C-293/12 and C-594/12, 2014) struck down the Data Retention Directive (2006/24/EC), which had required telecom and internet providers to retain communications metadata (who contacted whom, when, where, how long) for 6-24 months for law-enforcement access.

The CJEU found that mass, indiscriminate retention of the entire population's traffic and location data was a disproportionate interference with Charter Articles 7 (private life) and 8 (data protection), breaching the principles of necessity and proportionality and lacking adequate safeguards (no link to a serious-crime threat, no independent prior review of access).

Why it matters for the exam:

  • It is a leading illustration that even EU secondary law can be annulled when it conflicts with the Charter — reinforcing the rights-based foundation from Section 2.2 and the hierarchy in this section.
  • It anchors the proportionality test you will apply throughout the GDPR (e.g., data minimisation, necessity of processing).

Case Law at a Glance

CaseYearCore holding
Google Spain (C-131/12)2014Search engines are controllers; right to delisting (precursor to Art. 17 erasure)
Digital Rights Ireland2014Data Retention Directive annulled as disproportionate under Charter Arts. 7 & 8
Schrems I (C-362/14)2015Safe Harbor invalidated
Schrems II (C-311/18)2020Privacy Shield invalidated; SCCs upheld but require a transfer impact assessment
Test Your Knowledge

What did the CJEU decide in Schrems II (Case C-311/18, 2020)?

A
B
C
D
Test Your Knowledge

Which GDPR right did the Google Spain (C-131/12) ruling most directly anticipate?

A
B
C
D
Test Your Knowledge

An adequacy decision finding that a third country provides an adequate level of data protection is an example of which source of EU law?

A
B
C
D