Schrems II Judgment

5 Minutes Insight
July 2020
 Schrems II Judgment | Invalidity of Privacy Shield
The current judgment has its roots in 2013, when Maximillian Schrems originally brought a complaint before
the Irish Data Protection Commissioner claiming that personal data transfers under the EU-US Safe Harbor
Programme were unsafe
BACKGROUND
2008 … 2012
Facebook processes user
data in the United States.
Facebook originally
participated in the EU-US
Safe Harbour Programme,
which the European
Commission had determined
provided "adequate
protection" for European
Union users data.
© 2020 | Deloitte Legal
2013
In 2013, Maximillian Schrems, an
Austrian citizen, has lodged a
complaint before the Irish Data
Protection Commissioner,
alleging the inadequacy of the
law and practice in the United
States for personal data
transferred from the European
Union in relation with
surveillance activities undertaken
by US intelligence agencies.
2014 2015 2016 2017 2018 2019 2020
1 The European
Commission
adopted the Privacy
Shield Decision.
In May 2018, the Irish High
Court referred several questions
regarding the validity of
Standard Contractual Clauses
(SCC’s) and the Privacy Shield to
the CJEU focusing on whether
data transfers under SCC’s and
The CJEU issued its ruling on October the Privacy Shield violated
Articles 7, 8, 47, and 52 of the On 16th July 2020, the
6, 2015, invalidating Safe Harbour.
EU Charter of Fundamental CJEU delivered its
The Court ruled that national data
Rights (Charter). judgment in the
protection authorities have the right to
"Schrems 2" case. The
investigate the adequacy of data
decision concludes that
transfers under the EU-US Safe
the Privacy Shield is
Harbour arrangement or any other
invalid. SCC’s remain
arrangements concluded pursuant to
valid.
an adequacy decision by the European
Commission for that matter, and the
Safe Harbour arrangement should be
invalid due to the lack of adequacy.
Schrems II Judgment | Declaration of Invalidity of Privacy Shield 2
 Schrems II Judgment | Invalidity of Privacy Shield
In its landmark judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian
Schrems (Schrems II) released on 16 July 2020, the CJEU found that SCCs were valid in principle but declared
the Privacy Shield invalid

SCHREMS II DECISION

Main Reasons

• CJEU found that U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by EU law and hence do not
meet the requirements of Article 52 of the EU Charter on Fundamental Rights.
Privacy Shield
• Furthermore, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not
have a right to an effective remedy in the US, as required by Article 47 of the EU Charter.

• The CJEU reaffirmed the validity of SCCs but stated that organisations must verify, on a case-by-case basis, whether the law in the recipient
country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, that organisations must
provide additional safeguards or suspend transfers.
Standard Contractual Clauses

• The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent
protection can not be ensured.

© 2020 | Deloitte Legal Schrems II Judgment | Declaration of Invalidity of Privacy Shield 3

 Schrems II Judgment | Invalidity of Privacy Shield
Organisations should take appropriate and decisive steps to confirm that data transfers under their
responsibility comply with the GDPR and the judgment of the CJEU

WHAT ORGANISATIONS SHOULD DO

1
Data Transfers Assessment Analysis of Supervisory Authorities’ guidance
Organisations should assess international data flows (and When the CJEU invalidated EU-US safe harbor in 2015, supervisory
specially to US) and on what basis - Privacy Shield, Standard authorities recognised that organisations needed guidance and time

2
Contractual Clauses or Binding Corporate Rules as well as to implement such decision. It is expected that supervisory
analysis of the local laws in the recipient country. authorities take the same approach this time and provide clear
guidance on organisations’ necessary measures and timings.

3
Develop a Data Transfer Risk Assessment Model
Subject to guidance from supervisory authorities,
organisations shall define and implement a Data Transfer
Risk Assessment Model in order to understand to which
Adjustment from Privacy Shield to alternative
safeguards
Where the Privacy Shield was used to legitimize the international

4
data transfer, organisations should take steps now to ensure
countries personal data is being transferred, if public coverage under another safeguard such as Standard Contractual
authorities in that country could be entitled to access the Clauses.
data and its lawful basis, the security measures
implemented or to be implemented in transit.

© 2020 | Deloitte Legal Schrems II Judgment | Declaration of Invalidity of Privacy Shield 4

 Our Team
Truly global, truly connected and truly integrated

Joana Mota Agostinho

Partner
PT - Lisbon
Digital Law Data Lead
+351 964224796
jmagostinho@ctsu.pt

Core Deloitte Legal Data Team:

• Over 150 Legal professionals in

more than 40 countries advising
on Digital Law

• Data Legal Practitioners

© 2020 | Deloitte Legal Schrems II Judgment | Declaration of Invalidity of Privacy Shield 5

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”).
DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in
respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to
clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global network of member firms and related
entities in more than 150 countries and territories (collectively, the “Deloitte organization”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately
312,000 people make an impact that matters at www.deloitte.com.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities
(collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect
your finances or your business, you should consult a qualified professional adviser.
No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its
member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying
on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
© 2020. For information, contact Deloitte Touche Tohmatsu Limited.