DPA and government guidance on ‘Schrems II’

Last Updated: December 2021

On July 16, 2020, the Court of Justice of the European Union handed out its decision on Case C311-18 Data Protection Commission vs. Facebook Ireland, Max Schrems. The historic ruling invalidated the EU-U.S. Privacy Shield framework and validated standard contractual clauses with an additional layer of requirements when exporting EU citizens’ data to a third country. The invalidation of Privacy Shield and the additional requirements for SCCs have created uncertainty for organizations using these data transfer mechanisms. In response, data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out. The IAPP will continue to update this page as new guidance emerges.

If you are aware of existing DPA or government guidance not yet included on this page, please let us know.

DPA and government guidance

  European Commission


  European Data Protection Board


  European Data Protection Supervisor


  Czech Republic


  Denmark


  Estonia


  Finland


  France


  Germany (Berlin)


  Ireland


  Italy


  Liechtenstein


  Lithuania


  Netherlands


  Norway


  Poland


  Slovenia


  Spain


  Switzerland


  United Kingdom


  U.S. Department of Commerce