Schrems II Guide: Compliance & Data Privacy Impacts

Updated December 13th, 2023
schrems ii

Share this article

Non-compliance with Schrems II could result in severe legal penalties, including hefty fines under data protection laws such as the GDPR. In extreme cases, this could extend to an outright ban on data transfers to third countries, disrupting business operations.

Schrems II compliance is not merely a regulatory hurdle but a critical business imperative. The Schrems II rule was issued by the Court of Justice of the European Union (CJEU) in 2020 has profoundly impacted data governance for organizations handling EU citizen data.


Modern data problems require modern solutions - Try Atlan, the data catalog of choice for forward-looking data teams! 👉 Book your demo today


Organizations now face more stringent obligations when transferring data outside the European Economic Area, compelling them to enhance their data governance strategies. Compliance is no longer just a legal mandate but a prerequisite for maintaining trust and reputation.

In this article we will learn everything on Schrems II, from tips to solution.

Let us dive in!


Table of contents

  1. What is Schrems II all about?
  2. How does Schrems II affect data governance?
  3. 5 Tips for companies looking for Schrems II compliance?
  4. What is the relationship between Schrems II and Privacy Shield?
  5. 5 Technological solutions for compliance with Schrems II
  6. Summing up
  7. Schrems II: Related reads

What is Schrems II all about?

Schrems II is a landmark legal rule by the Court of Justice of the European Union (CJEU) that significantly impacts data transfers between the European Economic Area (EEA) and the United States.

Understanding its implications is crucial for any business involved in cross-border data transfers.

  1. Court of Justice of the European Union (CJEU) ruling
  2. Invalidate Safe Harbor and Privacy Shield
  3. Data transfer assessments
  4. Impact on businesses

Let us understand them in detail:

1. Court of Justice of the European Union (CJEU) ruling


The CJEU issued the Schrems II ruling on July 16, 2020. This followed legal challenges by Austrian privacy activist Max Schrems against Facebook, questioning the legitimacy of transferring the personal data of EU citizens to the U.S.

The court reviewed mechanisms like Safe Harbor and Privacy Shield, concluding that they were not adequate to protect EU citizens’ data.

2. Invalidate Safe Harbour and Privacy Shield


The ruling invalidated the EU-U.S. privacy shield Framework, a mechanism previously used for transatlantic data transfers. The Safe Harbor agreement was already invalidated by an earlier ruling, Schrems I.

Both these mechanisms failed to meet EU data protection standards according to the CJEU.

3. Data transfer assessments


Following Schrems II, organizations must conduct thorough assessments to ascertain if countries receiving EU data provide adequate protections.

If not, additional safeguards like Standard Contractual Clauses (SCCs) must be employed to protect data rights.

4. Impact on businesses


The ruling has wide-ranging implications for businesses that transfer data between the EEA and the U.S. Non-compliance could lead to hefty fines and legal repercussions.

Companies must reevaluate their data governance strategies and adopt rigorous measures to comply with EU data protection laws.

Understanding Schrems II is not just a legal requirement but a cornerstone for establishing trust in the digital economy. Businesses must be proactive in reassessing their data governance policies to ensure compliance and avoid legal pitfalls.


How does Schrems II affect data governance?

Schrems II has a profound impact on data governance, fundamentally altering how organizations handle cross-border data transfers. Data governance is no longer just about internal policies; it extends to scrutinizing external data transfer mechanisms and jurisdictions.

Schrems II is having the following affect on data governance:

  1. Increased regulatory scrutiny
  2. Focus on data sovereignty
  3. Necessity for data mapping and inventory
  4. Evolution of data transfer agreements
  5. Change in data storage and processing strategies

Let us understand these pointers in detail:

1. Increased regulatory scrutiny


Schrems II mandates that organizations be extra vigilant in ensuring data protection when transferring data across borders. Regulatory bodies within the EEA are now more inclined to scrutinize data transfer agreements and mechanisms, making data governance a front-and-centre concern for businesses.

2. Focus on data sovereignty


Data sovereignty, the concept that data is subject to the laws and governance structures within the nation it is located, gains prominence post-Schrems II. Organizations must now consider the legal landscape of destination countries more carefully, affecting their data governance models.

3. Necessity for data mapping and inventory


Understanding where and how data flows is imperative post-Schrems II. Organizations must create a comprehensive data map and inventory to identify which data is transferred internationally and whether those transfers comply with the ruling.

4. Evolution of data transfer agreements


Traditional data transfer mechanisms like Privacy Shield are no longer valid. This forces a review and evolution of data transfer agreements, often replacing them with Standard Contractual Clauses (SCCs) or other supplementary measures.

5. Change in data storage and processing strategies


Organizations might need to reconsider their cloud storage solutions or third-party data processors based in the U.S. or other non-EEA countries. This could involve migrating to data centers located within the EEA or adopting encryption measures that conform to EU standards.

The landscape of data governance has been reshaped by Schrems II. Compliance is not optional; it’s obligatory. Businesses must adapt to these changes promptly, considering them as part of a holistic data governance strategy, to avoid penalties and maintain trust.


5 Tips for companies looking for Schrems II compliance

Compliance with Schrems II is not just a legal obligation but a business imperative for organizations engaged in cross-border data transfers involving the EU.

Given its nuanced requirements, a multi-faceted approach is necessary for effective compliance.

These are the tips for Schrems II compliance:

  1. Conduct a data transfer impact assessment
  2. Review and update data transfer agreements
  3. Employ supplementary measures
  4. Monitor and adapt to regulatory changes
  5. Consult legal and data protection experts

Let us understand in detail:

1. Conduct a data transfer impact assessment


Companies should initiate a data transfer impact assessment to identify the types, volumes, and destinations of data being transferred.

This analysis should also scrutinize the data protection regimes of the countries where the data is being sent to ensure they offer adequate protections, as mandated by Schrems II.

2. Review and update data transfer agreements


The existing data transfer agreements should be thoroughly reviewed to ensure they conform with the new legal landscape.

Old mechanisms like Privacy Shield are no longer adequate, so companies should look into employing Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs) where applicable.

3. Employ supplementary measures


Schrems II requires organizations to employ supplementary measures when data is transferred to countries with inadequate data protection regimes.

These measures can include technological solutions like end-to-end encryption, or organizational measures like stringent internal data access policies.

4. Monitor and adapt to regulatory changes


The regulatory landscape post-Schrems II is fluid. Companies must stay abreast of new guidelines or interpretations from European Data Protection Board (EDPB) and national Data Protection Authorities.

Keeping a vigilant eye will help companies adapt to changes swiftly.


Given the complexities and nuances of Schrems II, consultation with legal experts specializing in data protection laws is highly recommended. They can provide tailored advice, ensuring that all facets of the organization are compliant with the ruling.

Compliance with Schrems II is a dynamic process that demands constant vigilance and adaptation. Organizations should approach it as an integral part of their data governance strategy, seeking expertise and employing robust measures to ensure uninterrupted, lawful data transfers.


What is the relationship between Schrems II and Privacy Shield?

The relationship between Schrems II and the EU-U.S. Privacy Shield is one of legal transformation. The Schrems II ruling invalidated the Privacy Shield framework, significantly changing the rules for transatlantic data transfers

The following points would talk about the relationship between Schrems II and Privacy Shield:

  1. What was EU-US. Privacy Shield?
  2. Schrems II ruling and its impact
  3. Invalidating Privacy shield
  4. Consequences for data transfers

Let us learn about this relationship in detail:

1. What was EU-US. Privacy Shield?


The EU-U.S. Privacy Shield was a framework agreed upon by the European Union and the United States to facilitate the safe transfer of personal data from the EU to the U.S. It aimed to ensure that American companies adhered to EU-level data protection standards when handling European citizens’ data.

2. Schrems II ruling and its impact


The Schrems II ruling came from a case brought by Austrian privacy activist Max Schrems against Facebook. The Court of Justice of the European Union (CJEU) issued the ruling on July 16, 2020, focusing on the adequacy of data protection mechanisms for EU-U.S. data transfers.

3. Invalidating Privacy Shield


One of the key outcomes of the Schrems II ruling was the invalidation of the EU-U.S. Privacy Shield. The CJEU determined that the framework did not offer sufficient protections against U.S. surveillance activities, making it incompatible with EU data protection laws.

4. Consequences for data transfer


The invalidation of the Privacy Shield had immediate and far-reaching consequences for companies relying on it for data transfers. Organizations had to quickly find alternative legal mechanisms for transferring data, such as Standard Contractual Clauses (SCCs), and evaluate whether additional safeguards were needed.

The Schrems II ruling and the invalidation of the EU-U.S. Privacy Shield have dramatically altered the landscape of transatlantic data transfers. Understanding this relationship is crucial for any company involved in handling data across these jurisdictions.


5 Technological solutions for compliance with Schrems II

As the Schrems II ruling places stringent requirements on international data transfers, technology plays a crucial role in compliance. Companies need to adopt specific technological measures to ensure that their cross-border data transfers meet the new legal standards.

The solutions are as follows:

  1. Data encryption
  2. Tokenization
  3. Data masking
  4. Secure multi-party computation
  5. Localized data storage

Let us understand each of them in detail:

1. Data encryption


Encrypting data during transmission and storage can be an effective way to safeguard it from unauthorized access.

Companies can use end-to-end encryption to protect data being transferred internationally. This prevents intermediaries or malicious actors from deciphering the content, aligning with the enhanced data protection requirements of Schrems II.

2. Tokenization


Tokenization replaces sensitive data elements with non-sensitive equivalents, known as “tokens.” This process can be particularly useful for securing specific types of data like credit card numbers or personally identifiable information (PII). These tokens can then be safely transferred internationally, with the original data kept secure within the EEA.

3. Data masking


Data masking anonymizes sensitive information by replacing it with fabricated data or characters. While similar to tokenization, data masking does not allow for reverse engineering to reveal the original data. This can be effective for transferring non-critical datasets while still complying with Schrems II.

4. Secure multi-party computation


Secure multi-party computation (SMPC) allows parties to perform computations on encrypted data without needing to decrypt it. This can be especially useful in cloud computing environments and multi-organizational collaborations where data must remain private but still usable for analysis.

5. Localized data storage


Instead of transferring data internationally, companies can opt for localized data storage solutions within the EEA. This eliminates the need for cross-border transfers altogether and mitigates the risk of non-compliance with Schrems II.

Technological solutions are indispensable for Schrems II compliance, offering both security and flexibility. Companies must carefully select and implement these technologies as part of a comprehensive data governance strategy to meet the new legal requirements and protect sensitive information.


Summing up

The Schrems II ruling has undoubtedly disrupted old paradigms around data transfers and protection. However, with careful evaluation, planning and adaptation, organizations can transform it into an opportunity to build more robust and ethical data governance practices.

By conducting impact assessments, fortifying transfer mechanisms, adopting security technologies, and monitoring regulatory shifts, compliance can be achieved in a systematic manner.

The post-Schrems II landscape undoubtedly poses new complexities, but organizations that embrace the evolution as part of a broader governance strategy will be well-positioned to balance legal obligations, customer trust and business objectives. In navigating the path ahead, cross-functional collaboration will be key.



Share this article

[Website env: production]