In a landmark ruling on a case brought by Austrian lawyer and privacy activist Maximillian Schrems; the European Court of Justice (CJEU) found that Facebook’s transfer of personal data from Europe to the United States under the Standard Contractual Clauses (SCC) does not provide adequate protection for EU citizens. The ruling forced organizations onto other methods of transferring data to the US. Therefore, it caused major disruption in their business. On the other hand, it also presented an opportunity for other alternative methods for cross-border transfer. We will cover the Schrems II ruling, the invalidation of the Privacy Shield, the new set of EU clauses, and lastly, the six-step series by EDPB to ensure the protection of personal data in transatlantic data flows.

However, before we discuss the Schrems II decision in detail, it is important to get to know the EU-US Privacy Shield that became the victim of the Schrems II judgment.

What is the EU-US Privacy Shield?

Before Schrems II, Max Schrems filed a case (Schrems I) against Facebook in 2013. The case prohibited them from transferring data from Ireland to the US due to its involvement in the mass surveillance program. Schrems won the case in 2015 (Schrems vs. Data Protection Commissioner) that led to the US Safe Harbor Decision collapsing. 

After over a year of the European Court of Justice (CJEU) striking down the Safe Harbor Agreement, the European Commission (EC) and the US government started negotiating a new deal to restore data transfer from the EU countries to the US. The deal was reached in 2016, and the new framework, the EU-US Privacy Shield, came into effect on July 12, 2016.

The Privacy Shield comprises the following seven principles for organizations that receive personal data from the EU:

  1. Notice
  2. Choice
  3. Accountability for Onward Transfer
  4. Security
  5. Data Integrity and Purpose Limitation
  6. Access
  7. Resources, Enforcement and Liability

These principles provide guidelines on how to process and protect personal data. However, Schrems challenged the framework, resulting in it meeting the same fate as its predecessor.

What is Schrems II judgment?

Schrems II refers to the legal complaint filed by Schrems against Facebook’s privacy policy regarding transfers of data of its users from the EU to the USA. The case was an update on his previous lawsuit (Schrems I). 

Schrems II lawsuit was filed on the grounds that Facebook is processing EU residents’ data and transferring it to the US, where there are no sufficient safeguards against the mass surveillance programs. It questioned the validity of the EU’s Standard Contractual Clauses (SCC), which are the standardized data protection clauses for data transfer. 

They argued that US law enforcement can access more data than necessary under the Privacy Shield. It interferes with the rights and freedom of users and violates the GDPR. Secondly, there is a lack of authority figures that can make binding decisions on the US government and agencies, making it difficult for EU users to have any right over their data in the US.

The CJEU presented its decision on July 16, 2020. The Court ruled that the EU-US Privacy Shield does not provide adequate protection to the personal data transferred and decided to invalidate the agreement. However, it upheld the validity of the EU SCC.

What is the 2021 EU SCC and how does it justify Schrems II?

The aftermath of the Schrems II ruling led the European Commission to adopt new sets of Standard Contractual Clauses (SCC) in the GDPR on June 4, 2021. They ensure appropriate data protection safeguards for international data transfers and address controller-processor obligations set by Article 28 of the GDPR

One set of clauses is for one for use between controllers and processors and one for the transfer of personal data to third countries.

The new SCC came into effect on June 27, 2021. There was a three-month transition period for new contracts for data transfer. The existing data transfers contracts can use the old SCC until December 27, 2022. During this time, all data transfers were expected to be shifted to the new clauses.

Let us look at the crucial points discussed in the new and updated SCC and how your organizations can comply with them.

Modular approach

The new SCC for international data transfer combine general clauses and adopts a modular approach to deal with data transfer scenarios, such as:

  • Module 1: Transfer controller to controller 
  • Module 2: Transfer controller to processor 
  • Module 3: Transfer processor to processor 
  • Module 4: Transfer processor to controller

This is quite a significant change from the old SCC. The previous clauses did not address such scenarios, especially processor to processor or processor to controller transfers, properly. 

The new SCC state that the data controllers or processors who transfer data to a third country or data exporters can be non-EU entities.

Clauses for International Data Transfers

Article 46(2)(a) of the GDPR states that a data controller or processor may transfer personal data to a third country or international organization if it has appropriate safeguards and rights and legal remedies for users are available. The new SCC ensures such safeguards for cross-border transfer. The EU Commission also encourages supplementary contracts to ensure safeguards.

The new SCC also requires you to provide users with information regarding the purpose of data transfer. This includes the categories of personal data processed, the right to a copy of the SCC, and any onward transfer. 

The SCC requires the data importer, i.e. the data controllers or processors who receive the data, to inform users of a contact point and handle any complaints or requests. The user can lodge a complaint with the supervisory authority or approach EU courts if data importers fail to comply.

Create a custom privacy policy statement for your business with CookieYes

Click the button and generate privacy policy in less than two minutes.

Create Privacy Policy for free

*no credit card required

Multiple-party agreements 

Under the updated SCC, more than two parties can enter a contract with SCC. The additional controllers and processors can accede to the standard contractual clauses as data exporters or importers. It will help to limit the number of individual contracts and facilitate seamless data transfer.

Schrems II requirements

The new SCC requires data exporters and importers to comply with the Schrems II judgment.

The parties must warrant that they do not believe that the laws in a third country would prevent data importers from fulfilling the new SCC.

They must have conducted an assessment of all specific circumstances of the transfer and the laws and practices of the third country. The parties should also assess all types of safeguards that supplement the safeguards suggested by the SCC. All these assessments must be duly documented and shared with the competent supervisory authority upon request.

Data importers must share relevant information with data exporters and cooperate with them for compliance with the SCC.

Sub-Processor agreements

Sub-processors are also subject to the new SCC. The new SCC does not require separate agreements for sub-processors. It mandates that there will be a contract between processors and sub-processors to ensure the same level of protection in cross-border transfer as that of the clauses.

Controller and processor agreements

The second set of new SCC discusses the processing agreement between controllers and processors. Processors should only process the personal data transfer on instruction from the controllers. If there is a legal requirement concerning the transfer of personal data from the Union or member state, the processors must inform the controllers beforehand about it.

Processors must also provide sufficient technical and organizational measures to provide the same level of protection stated in SCC while engaging another processor for processing personal data on behalf of the controller. Processors are fully liable to controllers for the performance of sub-processors.

What are the EDPB recommendations to protect international data transfer?

On June 18, 2021, the European Data Protection Board (EDPB) adopted revised recommendations to comply with the EU data protection standards. It includes six steps to follow to ensure safe international data transfer. Many points discussed in the steps are similar to the guidelines shared by the new SCC.

Step 1: Know your transfers

Mapping data in all of your data transfers is a complicated process. However, you must be aware of where the data goes to ensure that the recipient will offer adequate data protection. You must also ensure that the data is adequate, relevant, and limited to what is necessary to fulfill its primary purpose

E.g. You may be unaware that your website is sending personal data collected by trackers, like cookies, outside the EU. In such a case, you must identify these cookies and ensure their usage complies with EU laws.

Know what data cookies collect, where it goes, and how users can manage them on your website.

Sign up on CookieYes and comply with GDPR. Trusted by 1 Million+ websites.

Try it free

*no credit card required

Step 2: Identify the transfer tools you are relying on

When you send data outside the EU, you must ensure they have an equivalent level of protection. Otherwise, you have to identify the right transfer mechanism such as the standard contractual clauses, code of conduct, binding corporate rules, or any other transfer tools mentioned in Article 46

Step 3: Assess whether the transfer tool is effective

The next step is to assess if there is any law or practice in the recipient country that may interfere with the effectiveness of the transfer tool.

Step 4: Adopt supplementary measures

If your organization is sending personal data to a country that doesn’t have an adequate level of data protection, you must adopt supplementary measures to safeguard the data. E.g. technical measures, additional contractual measures, or organizational measures.

If none of the additional measures can ensure adequate data protection, you must suspend or terminate the data flow. 

Step 5: Procedural steps for supplementary measures

The fifth step is to take the procedural steps necessary to adopt the supplementary measures. It also includes documenting your assessment.

Step 6: Re-evaluate at appropriate intervals

Lastly, the EDPB recommends you re-evaluate the level of data transfer protection in the recipient country at appropriate intervals. It will keep you up to date with the latest developments there and ensure that there isn’t anything that will obstruct the data protection.

Here is the timeline of all the events discussed here:

timeline to schrems ii, privacy shield, scc

Wrapping up

The Schrems II ruling may have caused a few roadblocks. However, when it comes to protecting the user data, it was the right decision. Organizations must start acclimating themself to the new standard contractual clauses and update their contracts to comply with them. They must identify the outdated clauses in their existing contracts before the transition period ceases. 

Frequently asked questions

What does Schrems II mean?

Schrems II is the lawsuit against Facebook filed by the Austrian activist Max Schrems. He argued that Facebook is transferring its users’ data from the EU to the US, which lacks EU equivalent level of data protection. The case questioned the validity of the EU-US Privacy Shield and the EU clauses for international transfer.

In its judgment, the European Court decided to strike down the Privacy Shield and demanded a better set of clauses.

What is Schrems II compliance?

The organization sending personal data of EU residents to non-EU countries must conduct an assessment of the level of data protection safeguards there and ensure that it will not put the data at risk. You should be aware of the laws and practices in the recipient country before transferring the data. All procedural steps must be duly documented and shared with the supervisory authority if required. The recipient organization in the US must be able to prove that they will keep the data received safely.

Is Privacy Shield still valid?

As the result of Schrems II, the EU-US Privacy Shield is no longer valid. Any data transfer to the US from EU countries must be assessed. Organizations must take supplementary measures — technical (data pseudonymization, encryptions), contractual or organizational measures — to safeguard the data flow. The recipient country must be able to prove that they have taken appropriate measures to safeguard the data.

Does Schrems II apply to the UK?

No, Schrems II does not apply to the UK since it’s not part of the EU anymore. The updated SCCs will not apply to the UK, therefore ICO is looking at creating its own set of clauses that will conform with Schrems II requirements. The ICO has opened consultation and discussion on its draft international data transfer agreement (IDTA).

Why was Privacy Shield invalidated?

The Privacy Shield was invalidated because of its inadequate level of data protection and lack of actionable rights for EU users over their data transferred to the US.

Who is Mr. Schrems?

Maximilian Schrems is an Austrian lawyer and privacy activist who successfully fought a lawsuit against Facebook. He argued that the social media giant transfers data of its EU users to the US, which lacks EU equivalent data protection, and violates GDPR standards. He is also the co-founder of noyb — an NGO that defends GDPR and fights legal cases against privacy violations.

What are the SCCs?

Standard Contractual Clauses (SCC) are sets of terms and conditions signed between data exporters and importers for international data transfer under EU laws. These clauses are meant to safeguard the data flow and protect it against potential misuse or breach. It was updated after the Schrems II ruling to accommodate the new requirements.