In this special episode of That Privacy Podcast, David Longford and Alexis Kateifides of OneTrust and Eduardo Ustaran, Global co-head of the Hogan Lovells Privacy and Cybersecurity practice, met on July 17, 2020, to discuss their initial reaction to the decision and what implications the invalidation of the Privacy Shield Framework might have on businesses. 

The Schrems II decision 

On July 16, 2020, the Court of Justice of the European Union (CJEU) published its judgment in the Schrems II Case. In its judgment, the CJEU declared the European Commission's EU-US Privacy Shield invalid, and, while it upheld the use of Standard Contractual Clauses (SCCs), companies were subject to enhanced requirements in order to use them. 

The judgment left many organizations needing to re-assess the way they approach personal data transfers under the General Data Protection Regulation (GDPR) and the additional safeguards that they need to undertake in order to transfer personal data internationally. In the fallout from the CJEU’s decision in the Schrems II case, the European Data Protection Board (EDPB) released its final guidance on the supplementary measures for transferring personal data internationally to help organizations ensure that their cross-border data transfers have sufficient safeguards (e.g. SCCs, BCRs) in place to provide an essentially equivalent level of data protection to that found under the GDPR. The guidance also introduced a six-step roadmap for organizations to follow when transferring personal data out of Europe. The six-step roadmap included the need to identify the data transfer mechanism you are relying on (e.g. adequacy decisions, derogations) for third-country transfers and to conduct a Transfer Impact Assessment (TIA) in certain circumstances.  

The European Commission also adopted its revised SCCs in June 2021. Another major development in the fallout from the CJEU’s decision. The new SCCs are to be used from September 27, 2021, with existing contracts including the old SCCs remaining valid until December 27, 2022. 

What is Schrems II? 

Schrems II was the second high-profile case brought against Facebook Ireland by Max Schrems; an Austrian lawyer and founder of NOYB. The case centered around a complaint raised by Schrems relating to the transfer of personal data from Facebook’s European headquarters in Ireland to the US over concerns with national surveillance law, US Government access to personal data, and the validity of SCCs.  

The Schrems II case came about off the back of an initial complaint raised by Schrems against Facebook Ireland in 2013. This initial complaint resulted in the first Schrems case, or Schrems I, which centered around a request for the Irish Data Protection Commissioner (DPC) to investigate Facebook’s international data transfers. The subsequent judgment in the Schrems I case invalidated the Safe Harbor mechanism - the predecessor to the EU-US Privacy Shield. 

Further Schrems II Reaction Resources 

Check out the OneTrust DataGuidance Schrems II Portal for a consolidated view of all the research materials on offer relating to the Schrems II case. Alternatively, read the Insight article Data transfers and online advertising technologies post-Schrems II authored by Dmitry Alekseev and Javier Arnaiz of ECIJA, Madrid 

The Definitive Guide to Schrems II is a comprehensive blog featuring all of the information you need to understand the Schrems II ruling including the background to the case, its impact on data protection law and the regulatory landscape, and the next steps or organizations. 

Follow OneTrust DataGuidance on LinkedIn to keep up to date with upcoming webinars, insights, and more.