The Definitive Guide to Schrems II
This page is regularly updated for accuracy and comprehensiveness. Last update: November 22, 2022.
In this definitive guide to understanding Schrems II, we cover all the key developments of the Schrems II case from its background, the judgment, and next steps to help you provide you as a one-stop resource for understanding Schrems II.
What is Schrems II?
On July 16, 2020, the Court of Justice of the European Union (CJEU) published its judgment in the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (the Schrems II case). In its judgment, the CJEU declared the EU-US Privacy Shield – one of the primary data transfer mechanisms for the safe and free flow of data between EU and US organizations - invalid. The judgment did uphold the use of Standard Contractual Clauses (SCCs), however, it cast some doubt over this method of transferring personal data outside of the EU. The outcome of the judgment left many organizations having to re-think the way they handle personal data transfers and whether the transfer mechanisms they have in place were compliant with EU data protection law.
Download now: The Definitive Guide to Schrems II eBook
In November 2020, the European Data Protection Board (EDPB) adopted its recommendations for measures that supplement transfer tools as well as its recommendations on the European Essential Guarantees for surveillance measures. While the former assisted data controllers and data processors to implement appropriate measures for ensuring an essentially equivalent level of protection to the data transferred to third countries, the latter provided guidance on whether surveillance measures by national security agencies or law enforcement authorities in a third country can be regarded as a justifiable interference or not. A day after the EDPB released is recommendations, the European Commission released a set of revised SCCs for public consultation.
The consultation period for the European Commission’s revised SCCs ended on December 10, 2020. On June 4, 2021, the European Commission adopted two sets of modernized SCCs. The SCCs adopted by the Commission cover two use cases – one for use between Controllers and Processors under Article 28 of the GDPR and another for the transfer of personal data to third countries. The two new sets of SCCs are said to align more closely with the GDPR and will “offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers.”
On June 18, 2021, the EDPB adopted its final recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The final guidance outlined a six-step roadmap to help support data exporters and importers ensure a level of data protection equivalent to that offered in the EU when transferring personal data internationally as well as several important updates including the importance of the third country assessment.
Table of Contents
- Background and Timeline to Schrems II
- The Schrems II Case
- The Schrems II Judgement
- EDPB Final Recommendations: Supplementary Measures
- What is a Transfer Impact Assessment (TIA)?
- EDPB Recommendations: The Essential Guarantees
- The European Commission’s Modernized SCCs
- EU-US Data Privacy Framework
- Next Steps for Schrems II
- List of Adequate Countries
- Further Resources for Understanding Schrems II
Schrems II is the most commonly used abbreviation for the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) case brought forward by Max Schrems; an Austrian lawyer, privacy advocate, and founder of noyb – an organization that aims to bring legal cases concerning data protection under the GDPR to EU courts. However, as its moniker suggests, the Schrems II case was the second high-profile case brought forward by Schrems in relation to international data transfers between the EU and the US.
Schrems’ work initially gained widespread notoriety in the CJEU case and subsequent judgment that invalidated the Safe Harbor mechanism – the predecessor to the EU-US Privacy Shield – in what is commonly known as ‘The Schrems Case’ or ‘Schrems I’. This initial case was instigated after Schrems lodged a complaint on June 25, 2013, with the Irish Data Protection Commissioner (‘DPC’) requesting an investigation into data transfers from Facebook’s European headquarters in Ireland to its servers in the US over concerns related to the NSA’s data collection practices.
The Schrems case was brought to the High Court of Ireland before being referred to the CJEU for a preliminary ruling. On October 6, 2015, the CJEU issued its highly anticipated decision which declared the Safe Harbor mechanism as invalid.
In the fallout from the decision, the European Commission and the US Department of Commerce began designing a data transfer mechanism that would be in compliance with EU data protection requirements when transferring personal data from the European Union to the United States. The EU-US Privacy Shield Framework was deemed adequate to enable data transfers under EU law by the European Commission on July 12, 2016.
After the invalidation of the Safe Harbor mechanism, Max Schrems resubmitted his complaint to the Irish DPC on the basis that Facebook had continued transferring personal data from its European headquarters in Ireland to the US, now relying on SCCs. On April 12, 2018, the Irish High Court referred the case to the CJEU along with eleven questions for the court to address.
On July 16, 2020, the CJEU issued its judgment in Schrems II, declaring the EU-US Privacy Shield Decision invalid, but upholding the validity of SCCs. Speaking to OneTrust DataGuidance at the time, Eduardo Ustaran, Partner and Global Co-Head of the Privacy and Cybersecurity practice at Hogan Lovells stated, "The impact of this decision is immediate and global. It goes significantly further than the invalidation of the Privacy Shield as it requires companies to bear in mind other countries' powers over data access when engaging in global data flows.”
During the proceedings, the CJEU examined the validity of the EU-US Privacy Shield in relation to the requirements of the GDPR. The CJEU found that the protection of personal data had limitations due to domestic law in the United States as well as the access and use by US public authorities of personal data transferred from the EU. It was ruled that the provisions of US laws do not satisfy requirements that are essentially equivalent to those required under EU law.
In the decision, the CJEU noted that:
- US public authorities' use and access of EU data were not restricted by the principle of proportionality; and
- the Ombudsperson mechanism does not provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law.
In relation to SCCs, the CJEU highlighted that the assessment of the afforded level of protection must take into consideration:
- both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country; and
- relevant aspects of the legal system of that third country in relation to any access by public authorities of the third country.
The CJEU also maintained its position that supervisory authorities are required to suspend or prohibit the transfer of data to the third country when it believes that the protection required by EU law cannot be ensured by other means. In addition, the CJEU highlighted that SCCs are a mechanism that, in practice, make it possible to ensure compliance with a level of protection in accordance with EU law, as well as guaranteeing that the transfer of personal data is suspended or prohibited in the event of a breach of such clauses or when it is impossible to honor them.
The European Commission released its revised SCCs for public consultation, followed by a joint statement issued by the European Data Protection Board and the European Data Protection Supervisor on the draft revised SCCs. On June 4, 2021, the European Commission adopted two new sets of SCCs for use between Controllers and Processors and for the transfer of personal data to third countries.
The EDPB adopted its final recommendations on supplementary measures for transfer tools on June 18, 2021, highlighting a six-step roadmap to assist with the assessment of third countries and identifying and implementing appropriate supplementary measures.
The CJEU upheld the use of SCCs, however, highlighted that data controllers or data processors relying on SCCs are obligated to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'
The EDPB released the Supplementary Measures Recommendations on November 12, 2020, and adopted its final recommendations on June 18, 2021, following a public consultation. The final recommendations outlined a six-step roadmap to assist in the assessment of third countries and the measures that can be taken to safeguard the transfer of personal data.
- Know your transfers
- Identify the transfer tools you are relying on
- Adequacy decisions
- Article 46 GDPR transfer tools (including SCCs and BCRs)
- Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
- Transfer factors
- Assessing laws
- Assessment outcomes
- Adopt supplementary measures
- Take procedural steps if you have identified effective supplementary measures
- Re-evaluate at appropriate intervals
Further to the roadmap, the final recommendations also offered several updates including;
- Emphasis is placed on exporters recognizing the importance of examining third country public authorities’ practices in their legal assessments to help determine whether the legislation or practices hinder the effectiveness of the Article 46 transfer tool.
- Exporters are encouraged to consider the practical experience of the importer when carrying out their assessments
- The guidance highlights that the effectiveness of the data transfer tool may be affected by the legislation of the third country destination allowing its authorities to access the transferred data, even without the importer’s intervention.
The third step of the EDPB’s six-step roadmap requires organizations to assess whether the Article 46 transfer tool being relied upon for the data transfer remains effective in the specific circumstances of the transfer. This means that assessments should be made on a case-by-case basis to examine the legal practices of any third country that personal data is being exported to. When performing a transfer impact assessment (TIA), organizations should evaluate:
- The legal framework of the third country
- The practical application of the legal framework in the third country
- The availability of access requests by third country government agencies
- Whether mechanisms are in place for organizations to refuse government access requests
- Whether legally binding international conventions (e.g. Convention 108) have been entered into
- Whether an independent supervisory authority for privacy and data protection has been established
- The existence of legal remedies for data subjects and the extra-territorial scope of these remedies
Performing a TIA can help organizations evaluate whether the transfer tool they are relying on will be effective in the circumstances of the transfer, but it will also highlight whether supplementary measures will be necessary to ensure an essentially equivalent level of data protection to that found under the GDPR.
In addition to the Supplementary Measures Recommendations, the EDPB also adopted the Essential Guarantees Recommendations. The European Essential Guarantees ('EEGs') are referential standards identified by the CJEU in the Schrems I case and were introduced in order to ensure that national surveillance measures would not impact the protection of personal data during data transfers.
The EEG Recommendations highlight that, 'following the analysis of the jurisprudence, the EDPB considers that the applicable legal requirements to make the limitations to the data protection and privacy rights recognized by the Charter justifiable can be summarized in four European Essential Guarantees':
- Guarantee A - Processing should be based on clear, precise, and accessible rules
- Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- Guarantee C - An independent oversight mechanism should exist
- Guarantee D - Effective remedies need to be available to the individual
In the recommendations, the EDPB stressed that although the EEGs may form part of the assessment of third-country legislation for data transfers, they are not exclusive and do not constitute a complete list of what is necessary to demonstrate essential equivalence in a jurisdiction.
Article 46 of the GDPR sets out a number of tools that can be relied upon to ensure adequate safeguards are in place to protect personal data when transferring data outside of the EEA. Following the Schrems II decision, the European Commission released its draft revised SCCs for public consultation, which had been under review for some time in light of the entry into effect of the GDPR. The revised SCCs take a modular approach to accommodate the diversity of transfer scenarios. In the European Commission’s draft, four different use cases are provided by the Commission:
- Module 1: Controller to controller
- Module 2: Controller to processor
- Module 3: Processor to processor
- Module 4: Processor to controller
Furthermore, the European Commission’s revised SCCs have a broader scope to reflect the GDPR's extraterritorial reach as well as more flexibility to facilitate the use of SCCs in complex and constantly evolving relationships. The revised SCCs also reflect a strengthened data protection framework under the GDPR and specific clauses to accommodate concerns brought about by the Schrems II decision.
On January 15, 2021, the EDPB and the EDPS issued a statement announcing that they had adopted joint opinions on two sets of the European Commission’s draft SCCs. One of the opinions focused on the draft SCCs for contracts between controllers and processors and the other on the draft SCCs for the transfer of personal data to third countries.
In June 2021, the European Commission adopted two sets of new SCCs for use between Controllers and Processors and another for the transfer of personal data to third countries. The new SCCs are said to reflect the challenges of modern data transfers while offering flexibility and greater legal predictability for organizations using the mechanism.
On the adoption, Vice-President for Values and Transparency of the European Commission, Vera Jourová said: “In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernized Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”
In its press release, the European Commission highlighted that an 18-month transition period is available for controllers and processors that are using previous sets of standard contractual clauses.
On June 7, 2021, the European Commission's modernized SCCs were published in the Official Journal of the European Union, the final step in the administrative process. Subsequently, the 18-month transition period that organizations have to revise their use of SCCs began on June 27, 2021.
On March 25, 2022, the President of the European Commission, Ursula von der Leyen announced through a series of tweets that an agreement in principle has been made on a new framework for transatlantic data flows.
The White House also published a factsheet in relation to the agreement in principle, outlining a commitment the US has made to implement new safeguards that will ensure surveillance activities in the pursuit of national security are necessary and proportionate.
On October 7, 2022, President Biden issued an executive order for the EU-US Data Privacy Framework along with a factsheet. The Executive Order highlighted several areas of the framework that aim to alleviate the concerns raised in the CJEU’s decision in the Schrems II case.
If approved by the European Commission, the framework will require US signals intelligence activities to only be conducted in pursuit of defined national security objectives and only where necessary and proportionate. The framework would also create a multi-layered redress mechanism for individuals in cases where the personal information that has been collected through US signals intelligence was collected or handled by the US in violation of applicable privacy laws. This mechanism empowers the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) to conduct investigations into complaints to determine non-compliance as well as granting the Attorney General the power to establish a Data Protection Review Court (DPRC) that would independently review the CLPO’s decision. The US Intelligence Community will be required to update their policies and procedures to reflect the new safeguards outlined in the framework.
The Executive Order is now subject to approval in the EU. It could take up to six months for the European Commission to issue an adequacy decision on the framework which means that it could enter into effect before March 2023.
In summary, the Schrems II decision has forced organizations to revisit the way they approach international data transfers. The European Commission’s modernized SCCs were adopted in June 2021 giving organizations currently using previous versions of the Commission's SCCs an 18-month transition period to update their contracts.
The EDPB’s final guidance offers a clear roadmap and actionable steps for ensuring that personal data transfers are lawful and that they satisfy the accountability principle under Article 5(2) of the GDPR. While the process of re-assessing your data transfers may be a complex process, OneTrust offers several solutions including pre-built templates, exporters can assess third countries, carry out Transfer Impact Assessments (TIAs), and evaluate the effectiveness of their supplementary measures.
Finally, the EU -US Data Privacy Framework, if adopted, will provide more legal certainty for organizations transferring personal data from the EU to the US and EU citizens a right to access a redress mechanism – however, the status of the framework remains in the hands of the European Commission.
The following jurisdictions have thus far been recognized as providing adequate protection for personal data (i.e. are party to an adequacy decision):
- Canada (commercial organizations)
- Faroe Islands
- Isle of Man
- New Zealand
- Republic of Korea
- United Kingdom
- OneTrust DataGuidance Portal: Schrems II
- OneTrust DataGuidance Insight: EU: What can be learnt from the EDPS' strategy on Schrems II
- OneTrust Blog: European Commission Adopts New Standard Contractual Clauses (SCCs)
European Commission Press Release: European Commission adopts new tools for safe exchanges of personal data
- OneTrust DataGuidance Webinar: Schrems II Fallout - Dealing With International Transfers Post-Schrems II & Reaction to the EDPB's Recommendations
- OneTrust DataGuidance Webinar: Schrems II Fallout Continued: Reaction and Analysis to NEW Standard Contractual Clauses and EDPB Schrems II Recommendations
- OneTrust DataGuidance Blog: Schrems II FAQs