Schrems II Privacy ruling

What was the Schrems II decision

One of the most important international privacy cases in recent history arose from a complaint against Facebook brought to the Irish Data Protection Commissioner by an Austrian privacy advocate named Max Schrems (an Austrian privacy activist). The case  known as “Schrems I” led the Court of Justice of the European Union (CJEU) on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the US. The European Commission and US Department of Commerce jointly developed EU –US Privacy Shield to ensure EU-US data flows. 

In July 2020, the CJEU in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the Schrems II ruling invalidated the EU-US Privacy Shield.  Privacy Shield was a key mechanism by which companies transferred data from the EU to United States in a manner compliant with GDPR. It also raised questions about whether standard contract clauses (SCCs) remain a viable alternative data transfer mechanism. 

The logic underlying the CJEU’s decision was that, because of the surveillance activities permitted by US law, the legal system of the US does not afford an “essentially equivalent” level of protection to EU residents as that provided by European law. The CJEU went beyond concerns with specific data-privacy protections and challenged the entire US foreign-intelligence apparatus.

Effects of Schrems II ruling on business.

  • The penalty for non-compliance with Schrems II is immediate termination of access to data, not fines. ​
  • Risk of business disruption and losses to business acting as a controller or processor.
  • Disruption to operations from terminated access to data can exceed any fine in its negative impact on business, revenue, and stock value.
  • The burden of proof for compliance is on the party transferring the information.
  • Case by case analysis regarding the validity of current contractual agreements with processors.
  • Failure to take action to remedy Schrems II non-compliance over the 6+ months since the CJEU ruling can expose Boards of Directors / Executives to personal and criminal exposure.

Recent case law

Conseil d’Etat – Doctolib and Amazon Web Services

For the purposes of hosting the data, Doctolib referred to AWS Sarl, based in Luxemburg, which is a subsidiary of Amazon Web Services in the U.S.

The plaintiffs claimed: this was a matter of urgency, in view of the particularly sensitive nature of the data involved and the breach of the fundamental right to data protection, because data was hosted by a subsidiary of a U.S. company, i.e., Amazon Web Services, submitted to U.S. law and its extraterritorial effects, which therefore allowed for access by U.S. authorities.

The hosting of health data by a company bound by U.S. law was incompatible with the GDPR under “Schrems II” and violated the provisions of the GDPR, due on the one hand, to the possibility of a transfer to the U.S. of the data collected by Doctolib through its processor, and on the other hand, even in the absence of data transfer, to the risk of access requests by U.S. authorities to the processor, AWS. 

Conseil d’Etat considered that the level of protection offered was not insufficient due to the many safeguards in place, which are the following.

Legal safeguards: The judge noted the contract concluded between Doctolib and AWS Sarl provides for a specific procedure in the event of an access request by a foreign authority; notably, AWS Sarl guarantees in its contract with Doctolib that it will challenge any general access request from a public authority.   

Technical safeguards: The judge also noted technically the data hosted by AWS Sarl is encrypted and the key is held by a trusted third party in France, not by AWS, to prevent data from being read by third parties.

The ruling underlines the need to provide for supplementary legal safeguards.

Bavarian DPA rules SCC transfer invalid because supplementary measures were not assessed

The Bavarian data protection authority (DPA) recently decided that the transfer of personal information to Mailchimp in the U.S. by a German company was unlawful, despite the use of Standard Contractual Clauses (SCCs). 

The transfer was considered unlawful because the company had not assessed whether supplementary measures should be put in place. 

Of note is that the DPA did not definitely find that supplementary measures were necessary, nor that the measures offered by Mailchimp were considered insufficient. The DPA did not impose a fine, amongst others, because the personal information at stake (e-mail addresses) wasn’t considered sensitive and because the EDPB guidelines on supplementary measures have not yet been finalized.


The DPA concluded that the German data exporter had not examined whether, in addition to the SCCs, supplementary measures are required to ensure an appropriate level of protection for personal information transferred to the U.S. 

The DPA found that such supplementary measures were likely necessary, because Mailchimp could be subject to U.S. government surveillance powers (specifically Section 702 FISA). 

Without the assessment of whether supplementary measures were indeed necessary, the transfer of e-mail addresses to Mailchimp in the U.S was held to be unlawful. Following the DPA’s decision, the company ceased all transfers of personal information to Mailchimp.