Schrems II and beyond: EU-US international data transfers

On July 16, 2020, the Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield Framework (Privacy Shield), a key mechanism that facilitated personal data transfers between the EU and the US under the General Data Protection Regulation (GDPR).

This decision, commonly known as Schrems II, highlighted the inadequacy of US privacy protections compared with EU standards, raising concerns about US surveillance practices and deeming the US a non-adequate country for personal data transfers from the EU.

The EU-U.S. Data Privacy Framework, adopted on July 10, 2023, emerged as a crucial development and aimed to address the CJEU’s concerns by providing stronger safeguards and a clear legal pathway for data transfers between the EU and US.

We look at the immediate impact of the Schrems II case and how it has shaped international data transfers under the GDPR.

What is the Schrems II case?

Schrems II is a landmark ruling by the CJEU based on a 2015 complaint by Austrian privacy advocate Maximilian Schrems against Facebook Ireland Limited. Schrems brought the case before the Irish Data Protection Authority, challenging the use of Standard Contractual Clauses (SCCs) for data transfers to the US. The Irish High Court escalated the case to the CJEU in 2018.

In its judgment, the CJEU addressed two main aspects related to data transfers between the EU and US: the SCCs and the Privacy Shield. 

While the CJEU upheld the SCCs as a valid mechanism for data export under Art. 46 GDPR, it required that organizations conduct thorough assessments to ensure data transfers meet EU standards regarding appropriate safeguards, enforceable rights, and effective legal remedies. This includes a case by case review of the legal framework of the recipient country and the specific terms of the SCCs involved.

In its evaluation of the Privacy Shield, the CJEU held that the US does not offer protection equivalent to EU standards, primarily due to two reasons:

• invasive surveillance programs that are not limited to what is strictly necessary and proportional, as required by EU law
• the ineffective redressal mechanism provided by the Privacy Shield Ombudsperson, which lacked the authority to make binding decisions on US intelligence services, undermining the role as a protective measure for EU citizens

Immediate impact of the Schrems II judgment

The immediate invalidation of the Privacy Shield by the Schrems II judgment left no grace period for businesses relying on the framework for transatlantic data transfers. This sudden change forced businesses to reevaluate and adjust their data handling practices. In response to these new compliance challenges, many companies shifted towards alternative legal mechanisms, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

These alternatives became essential tools in bridging the gap left by the Schrems II ruling, enabling ongoing data transfers while companies worked to align with new regulatory expectations.

The European Commission’s updated SCCs 

On June 4, 2021, the European Commission (EC) adopted two new sets of standard contractual clauses to replace the Privacy Shield data transfer framework: one set for controllers and processors, and another for transferring personal data to third countries.

Among other things, the 2021 EC SCCs:

• enable transfers of personal data between the EU and any third country (non-adequate under the GDPR) and clear away the need for a separate data processing agreement (DPA) and signed SCC
• have provisions to ensure that local laws do not prevent compliance with the SCCs, such as assessments by the data importer
• require additional data protection safeguards, such as protection against data breaches, ensuring confidentiality, pseudonymization of sensitive data, and storage and purpose limitation, among others
• prescribe conditions by which third parties outside the EU can receive personal data, such as if the third party is in a country with an adequacy decision or the transfer of data is necessary to protect the vital interests of the data subject or of another natural person

Decisions of various EU Data Protection Authorities

Following the Schrems II ruling, Data Protection Authorities (DPAs) across various EU countries heightened their scrutiny of data transfers, affecting international operations for businesses using major US-based services like Google Analytics.The DPAs of Austria, France, Italy, the Netherlands, Norway, Denmark, and Sweden, and even the European Parliament, all concluded that, without additional safeguards, these data transfers did not provide adequate protections for personal data under EU law standards, reflecting the broader enforcement trend initiated by the Schrems II decision.

The EU-U.S. Data Privacy Framework: a new solution

In the absence of an adequacy decision after the Schrems II ruling, personal data could only be transferred to the US based on the EC SCCs or BCRs.

On July 10, 2023, the EC adopted its adequacy decision for the EU-U.S. Data Privacy Framework, a Privacy Shield replacement that gave businesses a mechanism for transatlantic data transfers that are consistent with EU law.

The Data Privacy Framework aims to address the deficiencies highlighted by the Schrems II decision, focusing on enhanced data protection and accountability measures. 

US companies must self-certify their compliance with the principles of the Data Privacy Framework. The EC now deems data transfers from the EU and European Economic Area (EEA) to self-certified companies as having an adequate level of protection as required by EU law without needing additional safeguards under Art. 46 GDPR.

However, for companies not included in the Data Privacy Framework List, or those that have not renewed their certification, which is required annually, data transfers require additional data protection safeguards in accordance with the GDPR. 

Data exporters in the EU and EEA are also tasked with verifying that the US company’s self-certification is active before proceeding with any data transfers, ensuring all legal requirements are met for the protection of personal data.

Role of Transfer Impact Assessments in international data transfers

Organizations that transfer personal data outside the EU must comply with the GDPR and the EU Charter of Fundamental Rights and, as a first step, assess whether the international transfer is to a country with an adequate level of protection to that provided in the EU/EEA.

The European Data Protection Supervisor (EDPS) recommends that these organizations, which are data controllers under the GDPR, carry out a Transfer Impact Assessment (TIA) for this purpose.

According to the EDPS, data controllers should refer to recommendations from the European Data Protection Board (EDPB) when carrying out a TIA, namely:

• recommendations 01/2020 on supplementary measures, a five-step guide for companies and organizations
• recommendations 02/2020 on European Essential Guarantees
• guidelines for transfers of personal data between EEA and non-EEA public authorities and bodies

There is no specified format for conducting a TIA. France’s National Commission on Informatics and Liberty (CNIL) published a draft guide that data controllers may use as a starting point.

It is also recommended to consult a Data Protection Officer, if appointed, when conducting a TIA.

EDPB recommendations for data transfers outside EU

On June 18, 2021, the EDPB adopted updated recommendations on supplementary measures for safe transfers of personal data outside of the EU. The five-step guide aimed to deliver clarity to the industry confusion that existed since the Schrems II ruling struck down the Privacy Shield.

Although the Data Privacy Framework has been in place since July 2023, it applies only to transfers to organizations that are on the Data Privacy Framework List. The EDPB recommendations help website owners and operators navigate the legal ocean of sending data outside of the EU to non-adequate countries, as well as to US organizations not covered by the Data Privacy Framework, while ensuring that the data remains protected.

Step 1: Know your transfers

You need to know where in the world your website — or, more specifically, the third-party cookies or trackers in use on your site, for example — sends end-user personal data to. This is key to everything else, because if you find out that your website is sending personal data from users to a non-adequate country, you must take additional steps to ensure compliance. 

If your website is sending data to the US, check to see if the company you are sending to is on the Data Privacy Framework List, or if you need to take additional safeguards to transfer the data compliantly.

You must also take into account onward transfers to any third party outside the EEA. These onward transfers must be compliant with the GDPR rules for international data transfers.

A website scanner can help you map out your data transfers. Website scanners like Cookiebot™ cookie checker can automatically detect all cookies and trackers in use on your site and give you a detailed report on what parties and where in the world your website sends data.

Step 2: Examine how you send data

Once you have an overview of where in the world your website sends personal data, step two of the EDPB recommendations is to make sure that you use the right transfer mechanisms or transfer tools.

If your website sends personal data to countries with an EU adequacy agreement, you don’t need to take any further steps regarding these data transfers.

But if your website is also sending personal data to countries without an EU adequacy agreement, or to a US company that isn’t on the Data Privacy Framework List, you need to make sure that your website uses one of the transfer tools listed in Art. 46 GDPR. 

In these cases, alternative GDPR-compliant transfer mechanisms like SCCs or BCRs need to be in place for data transfers.

Step 3: Assess if the data will be protected after you send it

Evaluating whether a country has laws or privacy practices in place that can guarantee an equivalent level of data protection for your website’s users and their personal data is step three in the EDPB recommendations guide.

This step might seem a bit tricky, as you may not be familiar with different data protection laws in other countries. Here is where the EDPB’s Essential Guarantees can help you determine a country’s level of data protection.

The EU Essential Guarantees can help you get an overview of how to conduct such an evaluation, such as looking for whether:

• data processing in the country is based on clear, precise, and accessible rules
• legitimate objectives for processing the data are demonstrated in accordance with EU law’s requirements for necessity and proportionality
• the country has an independent oversight mechanism or supervisory authority, such as a Data Protection Authority
• your users have legal remedies to pursue if their GDPR-secured rights have been violated

Annex 3 of the EDPB updated recommendations on supplementary measures also contains a list of possible sources of information to assess a third country for your reference. It contains a detailed list of requirements to consider in the specific circumstances of each transfer.

Step 4: Adopt additional data transfer protections

If you discover that your website sends personal data from end users to a country that is not recognized as having an adequate level of data protection, or that your Art. 46 GDPR transfer tool is ineffective, step four of the EDPB recommendations maps out how you can ensure additional security around your data transfers so that they meet EU standards of equivalence.

These supplementary measures in the EDPB recommendations include:

• technical safeguards (such as encryption protocols and pseudonymization)
• contractual safeguards (such as importer transparency commitments, enhanced audits, and requiring specific technical measures)
• organizational measures (such as internal transfer governance policies and data minimization)

Annex 2 of the EDPB updated recommendations on supplementary measures contains detailed examples and use cases to consider.

Steps 5 and 6: Document and reassess

In steps five and six of the EDPB recommendations, you are encouraged to document your data transfer practices and how you ensure adequate protection for your website’s end users.

You are also encouraged to reevaluate your data transfer practices at appropriate intervals to make sure that you’re always up to date on the latest developments in the countries to which you send personal data.

Next steps in GDPR-compliant data transfers to the US

Data privacy laws are continuously adapting to technological advancements and new legal precedents. The Schrems I judgment invalidated Safe Harbor, which was the predecessor of the Privacy Shield. The Schrems II decision invalidated the Privacy Shield, leaving the EU and US without an adequacy agreement until the Data Privacy Framework, which itself mandates annual reviews to assess its effectiveness and identify areas for improvement.

Businesses should monitor developments related to the Data Privacy Framework, in particular its annual reviews, to anticipate and adapt to changes that may impact their data transfer strategies. Businesses should also regularly check for updates from the EDPB and local DPAs of the various EU member states, which often release guidelines and announcements related to the use of tracking cookies to collect personal data.

It is also recommended to consult qualified legal professionals and data privacy experts, such as Data Protection Officers, who can provide valuable insights into the complexities of data transfer laws and help integrate the latest legal changes into your data management practices.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

FAQ