Skip to main content

Schrems II (CJEU Judgment in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems)

Schrems II is the CJEU judgment that invalidated the EU-US Privacy Shield and requires data exporters to assess destination-country laws and add safeguards before relying on standard contractual clauses. It is enforced through GDPR penalties.

Jurisdiction
European Union

Overview

Schrems II is the common name for the July 2020 judgment of the Court of Justice of the European Union in Case C-311/18. It is one of the most consequential decisions in data-protection law. The Court invalidated the EU-US Privacy Shield framework, finding that US surveillance laws did not provide protection essentially equivalent to EU standards and that affected individuals lacked adequate redress.

While not a statute, Schrems II functions as binding law shaping how the GDPR's international-transfer rules are applied. It reshaped global data-transfer practice and led directly to the negotiation of the later EU-US Data Privacy Framework.

Who It Applies To

The judgment affects any organization that transfers personal data from the EU or EEA to a third country, especially to the United States. This includes EU data exporters and their importers worldwide, particularly users of cloud, SaaS, and analytics services hosted outside the EU. Its principles apply across all transfer mechanisms, not only US transfers.

Key Requirements

The Court upheld the validity of Standard Contractual Clauses (SCCs) in principle but ruled that exporters cannot rely on them mechanically. Before transferring, an exporter must assess the legal environment of the destination country (a transfer impact assessment) and determine whether SCCs can be honored in practice. Where the destination's laws undermine the SCCs, the exporter must adopt supplementary measures, such as strong encryption or pseudonymization, or suspend the transfer. Authorities can stop transfers that lack adequate protection.

Penalties for Non-Compliance

Schrems II is enforced through the GDPR. Unlawful transfers can trigger GDPR penalties of up to twenty million euros or four percent of global annual turnover, whichever is higher, along with orders to suspend transfers. Several large enforcement actions have followed directly from the judgment's principles.

How to Comply

Organizations should map cross-border data flows, conduct transfer impact assessments for each transfer, and use updated SCCs or other valid mechanisms. Implement supplementary technical and organizational measures where needed, and reassess when relying on the EU-US Data Privacy Framework. Maintain documentation and revisit assessments as legal conditions change.