The Definitive Guide to Understanding Schrems II
In this definitive guide to understanding Schrems II, we cover all the key developments of the Schrems II case from its background, the judgment, and next steps to help you provide you as a one-stop resource for understanding Schrems II.
On July 16, 2020, the Court of Justice of the European Union (CJEU) published its judgment in the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (the Schrems II case). In its judgment, the CJEU declared the EU-US Privacy Shield – one of the primary data transfer mechanisms for the safe and free flow of data between EU and US organizations - invalid. The judgment did uphold the use of Standard Contractual Clauses (SCCs), however, it cast some doubt over this method of transferring personal data outside of the EU. The outcome of the judgment left many organizations to re-think the way they handle personal data transfers and whether the transfer mechanisms they have in place were compliant with EU data protection law.
In November 2020, the European Data Protection Board (EDPB) adopted its recommendations for measures that supplement transfer tools as well as its recommendations on the European Essential Guarantees for surveillance measures. While the former assisted data controllers and data processors to implement appropriate measures for ensuring an essentially equivalent level of protection to the data transferred to third countries, the latter provided guidance on whether surveillance measures by national security agencies or law enforcement authorities in a third country can be regarded as a justifiable interference or not. A day after the EDPB released is recommendations, the European Commission released a set of revised SCCs for public consultation.
The consultation period for the European Commission’s revised SCCs ended on December 10, 2020, and a final version of the SCCs is expected to be adopted in the near future. Furthermore, final guidance is expected to be published by the EDPB on future international data transfers in compliance with EU data protection law.
This page is regularly updated for accuracy and comprehensiveness. Last update: March 18, 2020
Table of Contents
- Background and Timeline to Schrems II
- The Schrems II Case
- The Schrems II Judgement
- EDPB Recommendations: Supplementary Measures
- EDPB Recommendations: The Essential Guarantees
- The European Commission’s Revised SCCs
- Next Steps for Schrems II
- List of Adequate Countries
- Further Resources for Understanding Schrems II
Schrems II is the most commonly used abbreviation for the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) case brought forward by Max Schrems; an Austrian lawyer, privacy advocate, and founder of noyb – an organization that aims to bring legal cases concerning data protection under the GDPR to EU courts. However, as its moniker suggests, the Schrems II case was the second high-profile case brought forward by Schrems in relation to international data transfers between the EU and the US.
Schrems’ work initially gained widespread notoriety in the CJEU case and subsequent judgment that invalidated the Safe Harbor mechanism – the predecessor to the EU-US Privacy Shield – in what is commonly known as ‘The Schrems Case’ or ‘Schrems I’. This initial case was instigated after Schrems lodged a complaint on June 25, 2013, with the Irish Data Protection Commissioner (‘DPC’) requesting an investigation into data transfers from Facebook’s European headquarters in Ireland to its servers in the US over concerns related to the NSA’s data collection practices.
The Schrems case was brought to the High Court of Ireland before being referred to the CJEU for a preliminary ruling. On October 6, 2015, the CJEU issued its highly anticipated decision which declared the Safe Harbor mechanism as invalid.
In the fallout from the decision, the European Commission and the US Department of Commerce began designing a data transfer mechanism that would be in compliance with EU data protection requirements when transferring personal data from the European Union to the United States. The EU-US Privacy Shield Framework was deemed adequate to enable data transfers under EU law by the European Commission on July 12, 2016.
After the invalidation of the Safe Harbor mechanism, Max Schrems resubmitted his complaint to the Irish DPC on the basis that Facebook had continued transferring personal data from its European headquarters in Ireland to the US, now relying on SCCs. On April 12, 2018, the Irish High Court referred the case to the CJEU along with eleven questions for the court to address.
On July 16, 2020, the CJEU issued its judgment in Schrems II, declaring the EU-US Privacy Shield Decision invalid, but upholding the validity of SCCs. Speaking to OneTrust DataGuidance at the time, Eduardo Ustaran, Partner and Global Co-Head of the Privacy and Cybersecurity practice at Hogan Lovells stated, "The impact of this decision is immediate and global. It goes significantly further than the invalidation of the Privacy Shield as it requires companies to bear in mind other countries' powers over data access when engaging in global data flows.”
During the proceedings, the CJEU examined the validity of the EU-US Privacy Shield in relation to the requirements of the GDPR. The CJEU found that the protection of personal data had limitations due to domestic law in the United States as well as the access and use by US public authorities of personal data transferred from the EU. It was ruled that the provisions of US laws do not satisfy requirements that are essentially equivalent to those required under EU law.
In the decision, the CJEU noted that:
- US public authorities' use and access of EU data were not restricted by the principle of proportionality; and
- the Ombudsperson mechanism does not provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law.
In relation to SCCs, the CJEU highlighted that the assessment of the afforded level of protection must take into consideration:
- both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country; and
- relevant aspects of the legal system of that third country in relation to any access by public authorities of the third country.
The CJEU also maintained its position that supervisory authorities are required to suspend or prohibit the transfer of data to the third country when it believes that the protection required by EU law cannot be ensured by other means. In addition, the CJEU highlighted that SCCs are a mechanism that, in practice, make it possible to ensure compliance with a level of protection in accordance with EU law, as well as guaranteeing that the transfer of personal data is suspended or prohibited in the event of a breach of such clauses or when it is impossible to honor them.
Following the CJEU’s decision in the Schrems II case, the EDPB adopted two recommendations:
- Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data ('the Supplementary Measures Recommendations')
- Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures ('the Essential Guarantees Recommendations').
Further to the EDPB’s recommendations, the European Commission released its revised SCCs for public consultation.
The CJEU upheld the use of SCCs, however, highlighted that data controllers or data processors relying on SCCs are obligated to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'
The EDPB released the Supplementary Measures Recommendations on November 12, 2020, which outlined a six-step roadmap to assist in the assessment of third countries and the measures that can be taken to safeguard the transfer of personal data.
- Know your transfers
- Identify the transfer tools you are relying on
- Adequacy decisions
- Article 46 GDPR transfer tools (including SCCs and BCRs)
- Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
- Transfer factors
- Assessing laws
- Assessment outcomes
- Adopt supplementary measures
- Take procedural steps if you have identified effective supplementary measures
- Re-evaluate at appropriate intervals
In addition to the Supplementary Measures Recommendations, the EDPB also adopted the Essential Guarantees Recommendations. The European Essential Guarantees ('EEGs') are referential standards identified by the CJEU in the Schrems I case and were introduced in order to ensure that national surveillance measures would not impact the protection of personal data during data transfers.
The EEG Recommendations highlight that, 'following the analysis of the jurisprudence, the EDPB considers that the applicable legal requirements to make the limitations to the data protection and privacy rights recognized by the Charter justifiable can be summarized in four European Essential Guarantees':
- Guarantee A - Processing should be based on clear, precise, and accessible rules
- Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- Guarantee C - An independent oversight mechanism should exist
- Guarantee D - Effective remedies need to be available to the individual
In the recommendations, the EDPB stressed that although the EEGs may form part of the assessment of third-country legislation for data transfers, they are not exclusive and do not constitute a complete list of what is necessary to demonstrate essential equivalence in a jurisdiction.
Article 46 of the GDPR sets out a number of tools that can be relied upon to ensure adequate safeguards are in place to protect personal data when transferring data outside of the EEA. Following the Schrems II decision, the European Commission released its draft revised SCCs for public consultation, which had been under review for some time in light of the entry into effect of the GDPR. The revised SCCs take a modular approach to accommodate the diversity of transfer scenarios. In the European Commission’s draft, four different statuses of the parties are defined by the Commission:
- Module 1: Controller to controller
- Module 2: Controller to processor
- Module 3: Processor to processor
- Module 4: Processor to controller
Furthermore, the European Commission’s revised SCCs have a broader scope to reflect the GDPR's extraterritorial reach as well as more flexibility to facilitate the use of SCCs in complex and constantly evolving relationships. The revised SCCs also reflect a strengthened data protection framework under the GDPR and specific clauses to accommodate concerns brought about by the Schrems II decision.
On January 15, 2021, the EDPB and the EDPS issued a statement announcing that they had adopted joint opinions on two sets of the European Commission’s draft SCCs. One of the opinions focused on the draft SCCs for contracts between controllers and processors and the other on the draft SCCs for the transfer of personal data to third countries. The SCCs must also be reviewed by representatives of each EU Member State and approved through the comitology procedure. This process is expected to be completed by early 2021.
In summary, the Schrems II decision has forced organizations to revisit the way they approach international data transfers. While there has been much discussion around the adequate safeguards between supervisory authorities and organizations alike, the European Commission and the EDPB are yet to publish their final revised SCCs and guidance respectively.
The public consultation on the European Commission’s draft SCCs ended in December 2020 and are currently being reviewed by EU Member States for approval. Furthermore, it is expected that the EDPB will issue its final guidance during its 47th plenary meeting in April 2021.
The following jurisdictions have thus far been recognized as providing adequate protection for personal data (i.e. are party to an adequacy decision):
- Canada (commercial organizations)
- Faroe Islands
- Isle of Man
- Japan (private sector)
- New Zealand
- United Kingdom (under review)
- OneTrust DataGuidance Portal: Schrems II
- OneTrust DataGuidance Insight: EU: What can be learnt from the EDPS' strategy on Schrems II
- OneTrust Blog: Schrems II and the Latest SCC Updates
- OneTrust DataGuidance Webinar: Schrems II Fallout - Dealing With International Transfers Post-Schrems II & Reaction to the EDPB's Recommendations
- OneTrust DataGuidance Webinar: Schrems II Fallout Continued: Reaction and Analysis to NEW Standard Contractual Clauses and EDPB Schrems II Recommendations
- OneTrust DataGuidance Blog: Schrems II FAQs (Coming soon)