Guidance notes for responding to ‘Schrems II’

This series provides guidance notes on what the 'Schrems II' decision means for companies that rely on the EU-U.S. Privacy Shield.

In response to the Court of Justice of the European Union’s historic ruling July 16, 2020, on the so-called “Schrems II” court case, members from Baker McKenzie shared a series of guidance notes on what the decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as for Brexit and what companies can expect with the road ahead on these issues.

Series Overview

What Privacy Shield organizations should do
This article explains the immediate steps Privacy Shield–certified organizations should take following the CJEU’s invalidation of the EU‑U.S. Privacy Shield, including assessing data transfers, reviewing reliance on SCCs, and preparing for enforcement uncertainty.
View article

Controller-to-processor SCCs
This article discusses how Schrems II impacts controller‑to‑processor Standard Contractual Clauses, noting that while they remain valid, organizations must conduct case‑by‑case assessments of third‑country laws and implement supplementary safeguards where necessary.
View article

Data transfers and Brexit
This article examines the implications of Schrems II for EU‑U.K. data transfers, highlighting the uncertainty around U.K. adequacy and outlining steps companies should take if the U.K. is treated as a third country subject to transfer safeguards like SCCs.
View article

Impact on controller-to-controller SCCs
This article analyzes how Schrems II affects controller‑to‑controller SCCs, clarifying that although they remain valid, organizations must apply the same heightened scrutiny and supplementary measures required for controller‑to‑processor transfers.
View article

BCRs as a robust alternative
This article outlines why Binding Corporate Rules (BCRs) are considered a strong alternative to Privacy Shield and SCCs, emphasizing their regulatory approval and relative insulation from Schrems II concerns, though they may still face similar adequacy scrutiny.
View article

Impacts on companies that rely on derogations
This article explains that Schrems II does not significantly restrict the use of GDPR derogations for transfers, but notes their narrow scope and the need for organizations to evaluate when such exceptions may appropriately apply.
View article

Technology, media and telecommunications services
This article explores how Schrems II complicates compliance and sales activities for technology, media and telecommunications providers, prompting the need for supplementary measures and customer‑focused assurances regarding cross‑border processing.
View article

Predictions for the road ahead after ‘Schrems II’
This article offers seven predictions about post‑Schrems II global data transfers, forecasting increased adoption of alternative mechanisms like SCCs and derogations, and noting that any successor to Privacy Shield is unlikely in the near term.
View article