Schrems II is one of the most significant data protection cases in modern times. It has fundamentally changed how organizations should approach the transfer of personal data between the EU and third countries like the U.S.
If your organization processes data across borders, then it's important to understand Schrems II and the intensified requirements that come with it.
What is Schrems II?
The Schrems II case refers to a lawsuit that Austrian activist Max Schrems filed against Facebook. The case focused on data security and the protection of personal data being transferred from the EU to the U.S.
The core of the Schrems II case was a challenge to the Standard Contractual Clauses (SCCs) and the Privacy Shield agreement that companies used to transfer personal data from the EU to third countries, including the U.S. Max Schrems filed a complaint with the Irish Data Protection Authority alleging that both mechanisms did not ensure the protection of EU citizens' data when transferred to the U.S. As a result, the case was brought before the Court of Justice of the European Union because the Irish authorities concluded that there was a need for a legal judgment.
The Schrems II decision
The verdict issued on July 16, 2020, nullified the Privacy Shield agreement that had previously been the basis for transatlantic data transfers.
The Privacy Shield was declared invalid because it allowed US intelligence agencies access to data on European citizens. The European Court of Justice concluded that the US surveillance programs were not sufficiently limited and therefore allowed more than what was necessary. Furthermore, there was no possibility for European citizens to appeal effectively against illegal surveillance in the US, which violates the EU rules regarding data protection and the right to privacy. On the other hand, the ruling continued to allow the use of SCCs for data transfers but implemented a stricter assessment of the receiving organization.
The Schrems II decision also highlighted the responsibilities of data processors and controllers in EU countries, who must now ensure that the country to which they transfer data offers a comparable level of protection to EU standards.
What does Schrems II mean for your organization?
The Schrems II judgment had major consequences for many organizations as Privacy Shield could no longer be used as a foundation for data transfers. SCCs were the solution for a couple of years, but Schrems II also increased the requirements so that organizations had to perform an additional Transfer Impact Assessment (TIA). If the assessment indicated that the country concerned did not provide sufficient protection then the organization had to consider technical measures such as encryption or pseudonymization to minimize the risk.
This complicated process led to the approval of the new EU-U.S. Data Privacy Framework in July 2023. It offers organizations a more lenient solution for data transfers to the U.S. as long as they comply with the framework's requirements. However, it requires the receiving organization in the U.S. to be certified under the Data Privacy Framework program with the U.S. Department of Commerce.
To ensure your organization can handle the requirements of Schrems II and take full advantage of the new EU-U.S. Data Privacy Framework, it may be a good idea to:
- check if U.S. data partners are certified under the Data Privacy Framework
- update your data transfer procedures and assess whether the use of SCCs is still necessary or can be replaced
- ensure continuous monitoring of third-country legislation so that you are always updated on any potential changes that may affect data security
- implement technical security measures such as encryption to increase protection even when transferring data within the new framework.
