Schrems II (2020): The Crossroads of Data Transfers and Privacy Protection
“If EU citizens’ data goes to the United States, will it still receive GDPR-level protection?” Schrems II rewrote the balance between global data flows and fundamental rights.
Hello! Today we look at Schrems II (2020). Brought by Austrian privacy activist Max Schrems, the case centered on concerns that personal data transferred from the EU to the U.S. could be exposed to large-scale surveillance by U.S. intelligence agencies. In particular, the constitutionality—better, the validity—of the Privacy Shield framework (adopted after Safe Harbor was invalidated) was back under scrutiny. Studying this judgment made me realize that the idea of “data borders” is anything but abstract.
Contents
Background and Facts
The case began with Austrian privacy advocate Max Schrems suing Facebook Ireland. Schrems argued that when EU citizens’ data is transferred to the United States, it may be subject to extensive surveillance by U.S. intelligence agencies (notably the NSA). In his view, this fails to meet the GDPR’s requirement of an “essentially equivalent” level of protection. After the 2015 Schrems I ruling had already invalidated Safe Harbor, this case targeted its successor, the EU-U.S. Privacy Shield.
Key Issue: The Validity of Privacy Shield
The question was whether the Privacy Shield framework meets the level of protection required by the GDPR. The breadth of U.S. surveillance programs and the lack of adequate judicial redress for EU citizens were central concerns.
| Issue | Problems with Privacy Shield | GDPR Requirements |
|---|---|---|
| Scope of surveillance | Allows large-scale collection by U.S. government | Only necessary and proportionate surveillance allowed |
| Judicial redress | EU citizens lack effective remedies in U.S. courts | Remedies must be effective and accessible |
| Level of protection | Not equivalent to the EU level | Protection essentially equivalent to (or exceeding) GDPR |
The Judgment and Reasoning
The CJEU held that Privacy Shield is invalid. However, it deemed Standard Contractual Clauses (SCCs) valid in principle, while emphasizing that national supervisory authorities must assess the level of protection in each particular case. The reasoning:
- U.S. surveillance programs do not satisfy necessity and proportionality.
- EU citizens lack effective judicial redress in the United States.
- SCCs remain valid, but controllers/processors and supervisory authorities must verify case-by-case whether equivalent protection is ensured.
Impact on the EU Legal System
Schrems II brought sweeping changes to EU-U.S. data transfers. Privacy Shield was invalidated immediately, confronting thousands of companies with legal uncertainty. In response, the EU and the U.S. negotiated a new framework—the EU-U.S. Data Privacy Framework—and supervisory authorities took on stricter oversight of SCCs. The ruling strengthened the global effect of the GDPR and amplified worldwide debates on data sovereignty.
Criticism and Academic Debate
While hailed for strengthening privacy, Schrems II has also been criticized for imposing heavy practical burdens on companies and regulators.
| Perspective | Main Argument |
|---|---|
| Critical | Greater uncertainty for data transfers; potential chill on global business |
| Supportive | Firmly protects EU citizens’ fundamental data rights and elevates the GDPR’s global standing |
Contemporary Significance and Takeaways
Schrems II remains a reference point for governing international data flows—not only for the EU-U.S. relationship but also for legislation in India, Brazil, Korea, and beyond. Key takeaways:
- Exposes the fragility of transfer frameworks (e.g., Privacy Shield) and calls for new models of international cooperation
- Reinforces the GDPR’s global standard-setting effect, influencing foreign legislation
- Emphasizes the shared responsibility of companies and regulators to verify “concrete protective measures”
Frequently Asked Questions (FAQ)
The validity of the EU-U.S. Privacy Shield, the applicability of SCCs, and the role of supervisory authorities (DPAs) in overseeing transfers.
It invalidated Privacy Shield due to the breadth of U.S. surveillance and insufficient redress mechanisms.
They remain valid in principle, but DPAs must verify in each transfer whether an equivalent level of protection is ensured.
Use SCCs together with a Transfer Impact Assessment (TIA), implement supplementary measures (encryption, pseudonymization), and review local surveillance laws.
Schrems II strengthened the GDPR’s international influence and spurred debates on data sovereignty and surveillance reform.
In Closing
Schrems II (2020) makes clear that data flows are not merely technical—they are tied directly to fundamental rights. For exams and practice, structure your analysis around ① Privacy Shield invalid, ② SCCs valid with conditional verification, and ③ surveillance programs and redress gaps. Emphasizing the Transfer Impact Assessment (TIA) and supplementary measures will align you with current GDPR enforcement trends. This case convinced me that “data is the new border.” The topic will only heat up—so keep a close eye on cases and controversies. 🙂
No comments:
Post a Comment