Who, or what, is Schrems II?

Maximillian Schrems was a Facebook user who raised a complaint concerning the transfer of his personal data by Facebook Ireland to Facebook Inc. in the United States. His argument was that the Safe Harbour arrangement, which at that time could be applied to certain data transfers between the EU and the US, did not ensure adequate protection for personal data, as required under EU law.

The Court of Justice of the European Union (CJEU) agreed with Mr Schrems and invalidated the Decision of the European Commission, which had previously determined that the US Safe Harbor framework did ensure adequate protection in relation to data transfers from the EU to members of the US Safe Harbor framework.

The above happened in 2015. The US then took steps to replace the Safe Harbor framework with an alternative arrangement which would provide adequate protection. Born from this was the EU-US Privacy Shield which sought to remedy the issues with the Safe Harbor framework, and which was approved by the European Commission in 2016.

Since 2016, organisations in the EU have been able to transfer personal data to organisations that are members of the EU-US Privacy Shield without the need for further safeguards being in place. If the transfer was to a US organisation which was not a member of the EU-US Privacy Shield then typically Standard Contractual Clauses (SCCs) could be used instead as a way of ensuring adequate protection and legitimising the transfer.

However, Mr Schrems was still concerned. He claimed that US law could require Facebook Inc. to make the personal data transferred to it available to certain US authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). That data could then be used in the context of various monitoring programmes in a manner incompatible with EU law.

In July 2020, CJEU issued its judgement in which it agreed with Mr Schrems and invalidated the EU-US Privacy Shield as a transfer mechanism for exports of personal data to the US.

So, what does that mean?

EU standards of data protection must travel with the data when it goes overseas. Organisations need to assess what personal data they transfer overseas and review what mechanisms are in place to ensure that it is adequately protected.

If an organisation transfers personal data to an organisation in the US which was a member of the EU-US Privacy Shield, it will have to ensure that alternative EU-approved safeguards are in place (such as SCCs). This will require specific related steps to be taken with the US organisation unless the US organisation had already provided for such an alternative as a contingency.

SCCs alone, however, might not be sufficient to ensure adequate protection of personal data overseas. As a result of the Schrems II decision, extra vigilance is now required. Organisations need to review whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs can be complied with in practice. If not, supplementary measures are required to legitimise the transfer. The Schrems II judgement does not state what such supplementary measures might look like, but further guidance is expected from the Information Commissioner's Office in due course.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.