Schrems II — LLMpedia

Schrems II
Name	Schrems II
Court	Court of Justice of the European Union
Decision date	16 July 2020
Citation	C‑311/18
Judges	Koen Lenaerts, Jean-Claude Bonichot, Ludwig Sauer, Vera Jourová, Philippe Léger
Advocates general	Nathalie Besson
Keywords	Privacy, Data Protection, International Transfers, Standard Contractual Clauses, Privacy Shield

Contents

Schrems II is a landmark judgment of the Court of Justice of the European Union that addressed transatlantic personal data flows between the European Union and the United States. The ruling invalidated the EU–US Privacy Shield framework and upheld the validity of Standard Contractual Clauses subject to case-by-case assessment, reshaping jurisprudence under the General Data Protection Regulation and the Charter of Fundamental Rights of the European Union. The decision intensified debates involving institutions such as the European Commission, the European Data Protection Board, and national supervisory authorities like the Irish Data Protection Commission.

Background

The case followed earlier litigation, notably challenges during the era of Safe Harbor (United States–European Union) and subsequent negotiations resulting in the EU–US Data Privacy Framework discussions. It built upon precedent in the Google Spain v AEPD and Mario Costeja González line and referenced principles from the Charter of Fundamental Rights of the European Union, the Treaty on European Union, and the Treaty on the Functioning of the European Union. The applicant had previously litigated in national fora including the Irish High Court and procedural steps engaged the European Court of Human Rights dialogue on cross-border surveillance topics associated with the Foreign Intelligence Surveillance Act and programs disclosed by Edward Snowden.

The litigation originated from a complaint by privacy activist Max Schrems against Facebook Ireland Limited and its reliance on data transfers to Facebook Inc. in the United States. Proceedings involved the Irish Data Protection Commission and were referred to the Court of Justice of the European Union by the High Court of Ireland. Interveners and interested parties included the European Commission, the Article 29 Working Party, multinational firms like Microsoft Corporation, Amazon (company), Apple Inc., Twitter, Inc., as well as civil society groups such as NOYB and European Digital Rights. National supervisory authorities across the European Economic Area, including the Austrian Data Protection Authority and the CNIL, monitored developments.

The Court considered whether transfers relying on an adequacy decision like the EU–US Privacy Shield ensured protection equivalent to EU standards under the General Data Protection Regulation. It assessed whether Standard Contractual Clauses could lawfully underpin transfers when the destination state's legal environment allowed access by public authorities, drawing on jurisprudence concerning the European Convention on Human Rights and surveillance laws such as the USA PATRIOT Act and sections of the Foreign Intelligence Surveillance Act. Questions also touched on the role of the European Commission in adequacy findings, the supervisory remit of national authorities under the GDPR, and remedies available to data subjects under instruments like the Charter of Fundamental Rights of the European Union.

The Court of Justice of the European Union held that the EU–US Privacy Shield did not provide adequate protection under EU law, rendering the Commission's decision invalid. Simultaneously, the Court ruled that Standard Contractual Clauses remain valid but must be assessed in context; exporters and importers must verify, on a case-by-case basis, whether the law of the recipient country ensures protections essentially equivalent to those guaranteed under EU law. The Court relied on precedents including Digital Rights Ireland and analyzed obligations under the General Data Protection Regulation, the Charter of Fundamental Rights of the European Union, and the role of supervisory authorities like the European Data Protection Board to suspend transfers. The ruling scrutinized foreign surveillance frameworks such as the Foreign Intelligence Surveillance Act and referenced dialogues with United States Congress and United States Department of Justice concerns about lawful access.

The decision triggered immediate operational consequences for multinational enterprises including Facebook Ireland Limited, Google LLC, Microsoft Corporation, Amazon Web Services, Salesforce, SAP SE, Oracle Corporation, LinkedIn Corporation, Zoom Video Communications, and cloud providers serving entities under the GDPR. It prompted reassessments of contractual instruments like Standard Contractual Clauses and technical measures such as encryption and pseudonymisation employed by firms like Box (company) and Dropbox, Inc.. Sectoral regulators, international bodies such as the Organisation for Economic Co-operation and Development and the Council of Europe, and trade partners including Japan and Canada watched implications for adequacy dialogues. Academic centers like Harvard Law School and Oxford Internet Institute produced analyses, while consultancies including Deloitte and PwC advised corporate clients on compliance strategies.

Responses came from the European Commission, which issued guidance and later proposed updated Standard Contractual Clauses and supplementary measures, and from the European Data Protection Board, which provided recommendations for assessing transfers. National data protection authorities such as the CNIL, the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, and the Irish Data Protection Commission issued enforcement positions and guidance. Lawmakers in the European Parliament debated legislative fixes alongside transatlantic negotiations involving the United States Department of Commerce and representatives from the United States Congress. Civil society groups including European Digital Rights and Access Now considered strategic litigation, while technology companies pursued contractual, technical, and localization measures, and legal scholars at institutions like the London School of Economics evaluated long-term regulatory impacts.