The Court of Justice of the European Union issued on 16 July 2020 information about the Schrems II vs Facebook ruling which shall trigger expensive consequences of business adaptation/ legal compliance to the GDPR rules and the risk of potential financial sanctions for businesses which do not comply with the personal data protection.

Question: How is your company handling the personal data transfers from the EU to the USA and the use of IT/ SaaS solutions after the Privacy Shield has been invalidated by the European Court of Justice last month – in July 2020 via the so-called Schrems vs Fecebook casee?

Let’s start with explaining the term “Privacy Shield”.

In 2016 the European Union decided to issue new laws and rulings on the personal data protection. They included the #GDPR which entered into force on 25th May 2018 along with a decision issued by the EU Commission in July 2016 – stating that the USA and EU apply comparable standards for the personal data protection in commercial use – it was the so-called adequacy decision 2016/1250 known as the Privacy Shield.

The decision included several conditions that needed to be met so that the data of the EU residents may be transferred to the companies registered in the USA. In particular, such companies were required to be listed on the Privacy Shield register page maintained by the American government.
The process was based on the self-assessment of the companies which, alongside with several other practices, was assessed as inefficient and not fully alligned with the GDPR in the regulatory reports of years 2018 and 2019.

The mechanism of the Privacy Shield has been used by the tech giants such as Google and Facebook – as well as smaller companies and startups which registered on the Privacy Shield list.

In practice, this meant that the European regulators treated such personal data transfers as equally safe as those made within the EU.

This meant that the personal data transferred under the Privacy Shield did not increase the regulatory risks of compliance nor the potential sancitons for breaches.

The EU regulators are assessing the data controller’s and data processor’s responsibility under the GDPR based on many aspects; in particular, it is important to make sure that in each case that personal data is transferred outside the EU, the transfer is made with particular care, in compliance with the GDPR rules on such transfers.

If a breach occurs, the liability and sanctions will be more severe and higher in case of personal data transfers outside the European Economic Area than within it.

Until just last month – July 2020 – the companies registered in the USA as well as the European companies using solutions delivered by the US companies were relying on the adequacy decision which reduced the regulatory risk exposure and softened the potential consequences of personal data breaches such as liability claims, financial sanctions and non-financial measures such as the ban on the personal data processing.

Now, after the Schrems vs Facebook ruling, the situation has changed and the SSCs (Standard Contractual Clauses) are recommended to mitigate the risk of sanctions for compliance breaches.

So what was the ruling about?

On July 16, 2020, the Court of Justice of the European Union (the “Court”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the Court concluded that:
a) the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid; and

b) that the EU-U.S. Privacy Shield framework is invalid. In practice, it means that i may not be applied by the regulators nor the companies in the context of the GDPR compliance.


The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner (the “Irish DPA”) in 2015, challenging Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the U.S. Facebook applied SCCs after the Court invalidated the U.S.- EU Safe Harbor Framework in 2015.

Specifically, Schrems alleged that the SCCs do not ensure an adequate level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law. Following the complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the Court of Justice of the European Union. The preliminary questions primarily addressed the validity of the SCCs as well as inquiry re. the EU-U.S. Privacy Shield framework.

The Court stated that the SCCs provide sufficient protection for EU personal data; it highlighted that EU organizations relying on them have an obligation to take a proactive role in evaluating whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction – before a personal data transfer is made.

The Court also noted that organizations may implement additional safeguards to ensure an “adequate level of protection” for personal data transferred.

Further, the Court decided to examine and rule on the validity of the EU-U.S. Privacy Shield framework. In ruling that the Privacy Shield is invalid, the Court stated that “the limitations on the protection of personal data arising from [U.S. domestic law] on the access and use [of the transferred data] by U.S. public authorities […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

Moreover, the Court found that the EU-U.S. Privacy Shield framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law. On those grounds, the Court of Justice of the European Union declared the EU-U.S. Privacy Shield invalid.

Next Steps for Companies and Institutions

The organizations that currently rely on the Standard Contractual Clauses will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law.

Further, ther organizations should consider what additional measures, standards, tools and safeguards may be implemented to ensure there is in fact an “adequate level of protection.”

The changes and adaptations must be done urgently.

How is your company dealing with this issue?

Let us know, let’s talk about it.

Contact us directly at


P.S. Below you may find the statement issued by the #EDPB – European Data Protection Board in relation to this ruling.

“(…) The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer. (…)”

#Schrems #compliance #law #IT #personaldata #PrivacyShield #courtcase #ruling #dataprotection #datatransfers #cybersecurity #dataexporter #dataimporter #datacontroller #dataprocessor #data #SaaS #fintech #marketing