Frequently Asked Questions & Resources on ‘Schrems II’

Last Updated: July 2021

The following questions are a compilation and consolidation of the hundreds of questions the IAPP received during the five LinkedIn Live sessions we hosted the week following the decision of the Court of Justice of the European Union in the Case C-311/18: Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems. We are publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.

The CJEU decision included two main findings. First, it found the European Commission’s adequacy determination for the EU-U.S. Privacy Shield Framework invalid due to concerns regarding the necessity and proportionality of U.S. government surveillance authorities and the availability of actionable judicial redress for EU data subjects. Second, it reaffirmed the validity of standard contractual clauses, while stating that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, provide additional safeguards to guarantee such protection or suspend transfers.

We will continue to update these FAQs as we identify additional resources and welcome the assistance of IAPP members. Please let us know at research@iapp.org if there are additional materials we should include.

Questions and Resources by Topic

Privacy Shield
Standard contractual clauses
Binding corporate rules
Derogations
Case-by-case assessments and supplementary measures
Types of data transfers/sectors affected
DPA guidance


Privacy Shield

  • expand_more

    What alternatives to Privacy Shield are available to U.S.-based companies that need a legal mechanism to transfer personal data to the U.S. in compliance with EU data protection rules?

  • expand_more

    Can or should EU-U.S. Privacy Shield participants recertify considering the “Schrems II” decision?

  • expand_more

    Does “Schrems II” impact the Swiss-U.S. Privacy Shield?

  • expand_more

    Does “Schrems II” impact use of the EU-U.S. Privacy Shield to transfer personal data from the U.K. to the U.S.?


Standard Contractual Clauses

  • expand_more

    Can a business use SCCs to transfer data to the U.S.?

  • expand_more

    Can a business use SCCs to transfer data to other third countries outside of the EU?


Binding Corporate Rules

  • expand_more

    Can businesses still transfer data to the U.S. using BCRs?

  • expand_more

    Can businesses use BCRs to transfer data to other third countries outside of the EU?


Derogations

  • expand_more

    Can businesses use one of the derogations of Article 49 GDPR to transfer data to the U.S or other countries?


Case-by-Case Assessments and Supplementary Measures

  • expand_more

    How do businesses conduct case-by-case assessments of the sufficiency of foreign protections when using SCCs, BCRs or other transfer mechanisms?

  • expand_more

    When conducting case-by-case assessments, what is the appropriate comparator of sufficiency, as established by the Court of Justice by the EU in ‘Schrems II’?

  • expand_more

    What supplementary measures can companies use to provide sufficient protections when case-by-case assessments reveal deficiencies?


Types of Data Transfers/Sectors Affected

  • expand_more

    How does the Schrems II decision impact the transfer of HR data?

  • expand_more

    Does the Schrems II decision impact communications providers, tech companies, and/or companies across sectors?


DPA Guidance



Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 2

Submit for CPEs