Skip to main content

Glossary International law

Schrems II

Also: Schrems II ruling, Case C-311/18, DPC v Facebook Ireland and Schrems

Origin: Court of Justice of the European Union, Case C-311/18, judgment of 16 July 2020.

The 2020 ruling by the Court of Justice of the European Union invalidating the EU-US Privacy Shield framework for transfer of personal data from the EU to the United States, and imposing additional due-diligence requirements on controllers using standard contractual clauses for any third-country transfer where the receiving country does not offer essentially equivalent protection.

Reviewed

Schrems II is the 2020 judgment of the Court of Justice of the European Union — Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems — which invalidated the EU-US Privacy Shield framework for transfer of personal data from the European Union to the United States. The ruling held that US surveillance law, in particular section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, exposed personal data transferred under Privacy Shield to disproportionate access by US intelligence agencies, in a manner that did not provide protection essentially equivalent to that required under EU law and Article 47 of the EU Charter of Fundamental Rights.

The operational consequences extended well beyond the Privacy Shield framework. The ruling held that controllers transferring personal data to third countries under standard contractual clauses — the principal remaining transfer mechanism — were obliged to assess, on a case-by-case basis, whether the law of the receiving country provided essentially equivalent protection, and to implement supplementary measures (technical, contractual, organisational) where it did not. The “case-by-case” qualifier turned what had been a paperwork-led compliance exercise into a substantive due-diligence one.

The European Data Protection Board issued recommendations in 2021 that operationalise the case-by-case assessment, and a new EU-US Data Privacy Framework was adopted in 2023 to replace the invalidated Privacy Shield. The new framework has been challenged in litigation that mirrors the Schrems II posture; its durability is open.

For an offshore-hosting operator the Schrems II posture is what makes a non-US jurisdiction practically valuable to an EU-located subscriber. A Swiss or Icelandic operator under data adequacy does not require the supplementary-measures machinery for EU subscriber data; a US-based operator transferring under standard contractual clauses does. The asymmetry is one of the substantive reasons subscribers select the operating jurisdictions the publication serves.