What is Schrems II? It is shorthand for Case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems. In it, the Court of Justice reaffirmed that generally, transfers of personal data from the EU to non-EU countries are prohibited unless sufficient measures are taken to protect it.
The court followed law found in the European Data Protection Directive and the GDPR (General Data Protection Regulation). Both say that personal data of EU citizens may not be transferred to non-EU countries unless proper safeguards are in place and only if the Non-EU country ensures an adequate level of protection for the personal data transferred.
In short, Schrems II invalidated the EU/US Privacy Shield Framework that many companies used to legally transfer data between the EU and US. The EU and US governments created the Privacy Shield so companies could become certified to securely transfer data between the EU and US.
The Schrems II court did not believe that the Privacy Shield did enough to protect EU personal data because, among other things, even under the program, EU citizens have no right to challenge government requests for their information under the Foreign Information Surveillance Act.
As Christian explains, although Schrems II invalidated Privacy Shield, it did not invalidate Standard Contractual Clauses (SCC) and he suggests that if you do not have SCCs in place and you transfer data from the EU to the United States, you should look into them.
Standard Contractual Clauses are model contract clauses officially sanctioned by the European Commission that address how companies must handle and protect personal data of EU citizens.
Christian says too that companies can bolster their contracts and SCCs by implementing a law enforcement policy–a specific policy about how a company will handle inquiries from intelligence agencies or law enforcement regarding data.
Learn more about Christian