Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: Schrems II: What you need to know

The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice. OneTrust DataGuidance is committed to bringing you the latest information and regulatory know-how on what the Judgment could mean, and will be continuing to update this page to bring together all the resources needed.

carloscastilla / Essentials collection /

This Insight collates the latest links and resources regarding the Schrems II Case to help your business understand and navigate its implications.

Key documents

  • Access the Judgment here
  • Access the CJEU press release here
  • Access the first NOYB statement here
  • FAQs and model requests issued by NOYB here
  • FAQs issued by the European Data Protection Board here
  • European Commission and U.S. Department of Commerce joint statement on new enhanced Privacy Shield here and here
  • FAQs issued by the Interactive Advertising Bureau ('IAB') Europe here
  • EDPB forms Schrems II complaints and guidance taskforces here
  • FDPIC finds Swiss-US Privacy Shield inadequate here
  • Council of Europe Chair and Data Protection Commissioner issue joint statement and discuss relevance of Convention 108+ for assessments here
  • Guide by the LfDI Baden-Württemberg here
  • DoC Deputy Assistant Secretary statement and white paper on Schrems II here
  • EDPS strategy for EU institutions to comply with Schrems II here
  • NOYB statement updating on 101 complaints and welcoming EDPB task force here
  • French Conseil d'Etat rules that Health Data Hub should not be suspended here
  • EDPS newsletter on data transfers to third countries here
  • EDPB recommendations on surveillance here
  • EDPB recommendations on supplementary transfer measures here

Key resources from OneTrust DataGuidance

EU-EEA DPA comments on Schrems II

Key comments from data protection authorities are summarised or quoted below with links to the original source material.

Access additional coverage here.

DPAOn Privacy ShieldOn SCCOn International TransfersSource
EDPB"The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection as in the EU. This assessment has to be taken into account for any transfer to the U.S.""The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.""If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of."Press release 17 July 2020 & FAQs 23 July 2020
EDPS"The EDPS trusts that the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court.""The EDPS notes that the Court, while in principle confirming the validity of Standard Contractual Clauses (SCC), provided welcomed clarifications regarding the responsibilities of controllers and European DPAs to take into account the risks linked to the access to personal data by the public authorities of third countries.""The protection of personal data requires actionable rights for everyone, including before independent courts. It is more than a 'European' fundamental right – it is a fundamental right widely recognised around the globe."Statement 17 July 2020
EstoniaSuggests data controllers will need to review US transfers, including assessing SCC or alternative mechanisms under GDPR.Emphasises the responsibility of those transferring data to assess whether SCC are able to guarantee adequate protection both now and in the future.Notes that transfers should be suspended and alternative safeguards found in any case where adequate protection cannot be guaranteed.Press release and Guidance, 17 July 2020 (only available in Estonian here and here)
Germany - Baden-WürttembergNotes that the judgment affects all public bodies or companies transferring data to the US, especially if they previously based transfers on the Privacy Shield. Continuing transfers may result in fines and compensation for damages.Recommends data controllers contact the recipients of data in regard to amendments to SCCs, which include Annex Clause 4(f), Annex Clause 5(d)(i), Annex Clause 5(d), and Annex Clause 5(d).Includes checklist for companies to ensure data transfers comply with the judgment in relation to, among others, checking if SCCs approved by the Commission can be used and verifying that SCCs are in use.Press releases and Guide, 24 August 2020 (only available in German here, here and here)
Germany - BerlinBerlin Commissioner, Maja Smoltcyk, suggests data controllers based in Berlin storing personal data in the US to transfer the same to Europe and data should not be transferred to the US until that legal framework is reformed. Smoltcyk further outlines that the conclusion of SCC likely not to be enough to enable data transfers.Smoltcyk highlights potential similar concerns to be raised in regard to jurisdictions such as China, India, and Russia.Press release 17 July 2020 (only available in German here)
Germany - DSKThe DSK states that the CJEU invalidated the Privacy Shield and that data transfers to the USA based on the Privacy Shield are inadmissible based on the CJEU's decision that the US law does not provide protection that is in essence equal to EU law.

SCCs may in principle continue to be used, however they require a preliminary protection assessment and in case of data transfers to the USA SSCs without further protective measures are insufficient.

The DSK noted that data transfers based on the Privacy Shield must cease immediately. Moreover, the DSK held that next to SCCs, the CJEU's findings also have an impact on binding corporate rules ('BCRs') and additional protective measures also need to be taken if the data subject rights are not protected to the same level in a third country.

Statement (only available in German here) 28 July 2020

Germany - FederalThe Federal Commissioner, Professor Ulrich Kelber, noted the potential need for particular protective measures for transfers to the US.Kelber emphasised supervisory authorities roles in assessing individual transfers.Kelber generally noted that the decision supports a clearer framework for international transfers.Press release 16 July 2020 (only available in German here)
Germany - HamburgDecision welcomed, emphasises that US has not fundamentally changed thinking since annulment of Safe Harbor.Suggests SCC are equally unsuitable as Privacy Shield and highlights increased responsibilities of supervisory authorities assessing SCC.Highlights broad impact of decision and questions whether transfers can be permitted to third countries that do not provide adequate protection.Press release 16 July 2020 (only available in German here)
Germany - Rhineland-PalatinateNotes that decision strengthens data subject rights, and emphasises work for organisations to reassess practices.Stresses audit obligations of companies.Highlights importance of whether laws in third countries may contravene European data protection law.Press release 16 July 2020 (only available in German here) and FAQs (only available in German here)
Germany - ThuringiaThe TLfDI data protection officer, Dr Lutz Hasse, welcomed CJEU decision, highlighting the potential lack of proportionality in US data flow monitoring.Hasse questioned whether SCC will remain viable and how assessments by data exporters and recipients will work.Not applicable.Press release 17 July 2020 (only available in German here)
Ireland"Today’s judgment [...] firmly endors[es] the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States.""in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis."Not applicable.Press release 16 July 2020
ItalyHighlights that the Privacy Shield has been invalidated.Notes that SCCs remain valid.Not applicable.Press release (only available in Italian here)
LiechtensteinHighlights that alternative mechanisms than Privacy Shield, including SCC, must be used until a new agreement is made with the US.Emphasises that SCC may be used for transfers to the US, and provided minimal further references to assessments.Not applicable.Press release and updated Guidance 17 July 2020 (only available in German here and here)
NetherlandsNotes that the European Commission should consider a new regime for transfers to the US.Suggests that, under the CJEU judgment, SCCs remain a valid means for data transfers to the US.Not applicable.Press release 20 July 2020 (only available in Dutch here)

Highlights concerns raised around US intelligence services and data subject rights.

Notes that it is essentially the responsibility of the data exporter and recipient to assess whether adequate protection under SCC will be respected in recipient jurisdiction.Not applicable.Press release 16 July 2020 (only available in Norwegian here)
PolandHighlights that transfers to US under Privacy Shield should have stopped from the decision's release on 16 July 2020.Emphasises that data controller assessments of SCCs should consider not only contractual provisions but potential access to data from third country authorities.Generally indicates that where there is not a sufficient level of protection within a third country's legislative framework, other means may be available to provide adequate protection.Press release 20 July 2020 (only available in Polish here)
RomaniaGenerally notes CJEU concerns regarding US intelligence services and confidentiality of transferred data.Explicitly identifies that alternative mechanisms for transfers to the US include SCCs, BCRs, and codes of conduct.Not applicable.Press release 20 July 2020 (only available in Romanian here)
SerbiaHighlights that transfers made using Privacy Shield framework are now illegal.Not applicable.Generally notes that controllers and processors who relied on the Privacy Shield framework need to find alternative mechanisms for the transfer of data.

Press release 11 August 2020 (only available in Serbian here)

SloveniaEmphasises that organisations transferring data to US should find alternative mechanisms.Notes alternative mechanisms for transfers to US under GDPR include SCC and BCR.Not applicable.Press release 16 July 2020 (only available in Slovenian here)
SpainDescribes decision as a new turning point for data transfers to the US.Notes the validity of SCC in general terms.Emphasises the need for a harmonised EU approach and consistent application of the decision.Press release 22 July 2020 (only available in Spanish here)
UK[From the UK Government] "disappointed that the EU's adequacy decision for US Privacy Shield has been invalidated"UK Government is "pleased that this important mechanism [SCC] for transferring data internationally remains in place and is considering any further implications that may arise from the judgment in respect of this.""Coronavirus ('COVID-19') has demonstrated the importance of international data transfers. The recent crisis has shown how data transfers keep economies moving and societies functioning"UK Government Press release 17 July 2020


Live reaction to the key landmark decision on the future of international data transfers

We hosted an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact on your business and what the future may hold.

Panelists included:

  • William Long - Partner, Leader of the EU Data Protection Practice, Sidley Austin LLP
  • Caroline Louveaux - Chief Privacy Officer, MasterCard
  • Lee Parker - Director Data Privacy EU+, Biogen
  • Lara Liss - Chief Privacy Officer, Walgreens Boots Alliance
  • Monica Tomczak - Chief Privacy Officer, Prosus, Division of Naspers
  • Alan Raul - Partner, Leader of Privacy and Cybersecurity Practice, Sidley Austin LLP
  • David Longford - Global Offering Manager, OneTrust DataGuidance

Access the webinar here and the Key takeaways here.

Is the US 'Essentially Equivalent' with the EU?: Schrems II Legal Analysis

Join us for a webinar as we react to the ruling and discuss what it means in correlation to privacy programs and other global regulations.

Access the webinar and the Key takeaways here.