Schrems II

TL;DR

Schrems II is the name given to an ECJ (European Court of Justice) case that was based on the fact that US companies cannot ensure adequate standards for personal data protection. As a consequence, personal data transfer between the EU and the US became illegal and the Privacy Shield agreemnt between them was rendered obsolete.

What does Schrems II mean?

Schrems II is the generic name given to a case at the European Court of Justice, which ruled in favor of Max Schrems and led to the invalidation of the EU-US Privacy Shield, on July 16, 2020. This led to the fact that it became illegal for any type of data processor to use services from the USA, that would give those services access to the personal data of EU citizens, without fully explaining the risks. The consequences were very serious, so much as for some major US companies (e.g. Facebook) to consider interrupting their business in the EU altogether.

A previous case, known as Schrems I, started by the same person, had been at the origin of a similar outcome in 2015. The decision of the ECJ in the Schrems II case, was based on the argument that, especially due to US legislation like the CLOUD Act, there is no way to guarantee the privacy of personal data if they are handled by US companies. Federal agencies using a warrant could always force data processors like Google or Facebook to disclose personal information about users, without any consent from them. It does not matter where the servers containing the data are physically placed. Therefore, any EU citizen accessing a website hosted in the US, or any website that uses third party apps managed by US companies (e.g. Google Analytics), needs to be properly informed about all the legal implications of the data transfer, as well as all the risks.

For more details on the consequences of Schrems II, you can read this overview. In summary, they are:

  • website owners with EU visitors can't store data outside the EU, unless the laws of that country can provide an adequate level of protection for the data
  • any third party services used by a website must also provide protection, and therefore cannot be based in the US. These services may include: website analytics tools, customer relation management tools, advertising services, chat tools, user insight tools etc.
  • the list of US companies who were exempted from the rules, based on the Privacy Shield, were no longer operating legally
  • consent banners must include specific cookie information, as well as data transfer regulations
up-arrow.svg