Schrems II: What you need to know

A case that began with a complaint about Facebook has snowballed to become a major data protection headache.


If your role touches on the multi-tentacled creature that is data protection, you may have heard of Schrems II... and if you haven’t, you need to redress that situation. The 16 July ruling by the Court of Justice of the EU (CJEU) on Schrems has big implications for data transferred from the European Economic Area. What began as an enquiry by Austrian lawyer/activist Max Schrems into the legality of Facebook’s handling of personal data sent from Ireland has turned into a headache for CIOs, CISOs, privacy officers and others across the US and Europe.

In short, the CJEU verdict means that organisations that relied on Privacy Shield as a protection when sending data to the US can no longer do so. And the popular Standard Contractual Clauses alternative defence mechanism will need to be accompanied by due diligence: SCCs alone won’t be enough.

To better understand what is happening, I spoke to Jonathan Armstrong, a lawyer at Cordery who specialises in technology and compliance.

How seriously should people be taking Schrems II?

I think they do need to take it seriously and if you look at the immediate aftermath of the Schrems decision we’ve already seen a fair amount of enforcement and complaints made. A number of other countries such as Switzerland and Israel have collapsed their Privacy Shield schemes after the case and we’ve also seen 101 complaints from Schrems’ own organisation to data protection authorities, effectively giving them names of organisations that say they are still relying on Privacy Shield.

And of course the problem is not limited to companies that have signed up to Privacy Shield because most multinational corporations use somebody who is using Privacy Shield to do stuff for them and that might be to run their CRM system, HR, payroll or travel management or whatever. So that’s the regulator-led issue.

To continue reading this article register now