Schrems II Explained: Everything You Need To Know

The landmark data privacy case Schrems II has had a significant impact on the digital landscape since it was decided in 2020. Affecting remote work, public cloud adoption, global data processing, and more, Schrems II has upended the way that companies transfer EU personal data — including over 5,000 American companies conducting transatlantic business.

But what is Schrems II, and why has it been so significant? Below, we’ll walk you through the nuances of the GDPR, the Schrems II decision, and its implications for your organization.

What is the GDPR?

The GDPR, or General Data Protection Regulation, is an extratorrial regulation governing data protection and privacy in the European Union and the European Economic Area. Its main goal is to increase privacy for people who live in European Union member states and to give them more control over their personal data.

Passed in April 2016 and enforceable as of May 2018, the GDPR impacts the data practices of any organization dealing with the personal data of people in the EU. Among the affected organizations are European companies — but also foreign governments, global data brokers, US cloud providers, and any other “third country” handling EU personal data.

To comply with the GDPR, organizations must:

Receive people’s genuine and informed consent before using their personal data.
Explain how they process, use, share, and store people’s personal data.

Offer special protections for certain types of sensitive data, including information about political and religious beliefs, union membership, health and biometrics, race, etc.
Allow people to correct, delete, move, or transfer their own personal data.
Provide notifications in the case of data breaches.
And more.

What is Schrems II?

Schrems II — technically, Case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems — is a 2020 legal case decided by the Court of Justice of the European Union. The case was brought by Maximillian Schrems, an Austrian privacy advocate and the founder of noyb, an organization that argues legal cases about data protection under the GDPR.

In a nutshell, Schrems II invalidated the GDPR’s 2016 EU-US Privacy Shield — which was itself implemented as the result of a previous court case with Maximillian Schrems over Facebook’s transfer of personal data to the United States. That previous case, Schrems I, had led the European Commission and the US Department of Commerce to design the EU-US Privacy Shield, which was intended to be a data transfer mechanism that would comply with the GDPR.

Schrems, however, argued that the EU-US Privacy Shield mechanism was still insufficient to protect personal data. In the Schrems II case, the specific issue under consideration was Facebook’s use of Standard Contractual Clauses (SCCs) to transfer people’s data from Ireland to the US. This practice, Schrems argued, meant that personal data could still be accessed by US intelligence agencies via national security laws like the US Foreign Intelligence Surveillance Act (FISA).

The outcome? In July 2020, the Court of Justice agreed with Schrems and ruled that the EU-US Privacy Shield decision was invalid. Specifically, the International Association of Privacy Professionals explains, the court found that US surveillance programs were not limited to what was “strictly necessary and proportional as required by EU law.”

The Court of Justice also maintained their position that authorities must suspend or prohibit data transfer to third countries when they believe that data protection cannot be ensured by other means.

What about SCCs?

Despite their ruling on the EU-US Privacy Shield, the court did uphold the general validity of Standard Contractual Clauses or SCCs — but they added some important caveats.

First, the court emphasized that organizations relying on SCCs must “verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”

In other words, companies cannot rely on SCCs or similar transfer tools alone; instead, they have to ensure on a case-by-case basis that the recipient country has data protection policies equivalent to the EU’s. If not, then their SCCs must be supplemented by additional safeguards — and if safeguards can’t be achieved, then the data must not be transferred at all.

What are the implications of Schrems II?

Schrems II was a major verdict. The repeal of the earlier EU-US Privacy Shield decision invalidated the entire legal basis for free data flows to the US. As the Brookings Institution puts it, the decision places “severe limits” on previous GDPR mechanisms for transferring EU personal data. SCCs and other previously approved transfer tools no longer give companies carte blanche, and supplementary measures may be necessary to meet compliance.

Additionally, individual organizations must now undertake case-by-case assessments of recipient countries’ data protection policies — a requirement that can be onerous. “For example,” the Thales Group writes, “if a European organization was looking to store customer data on servers based in a non-EU country, any data transfer to these servers would have to undergo an individual risk assessment to ensure it is compliant with GDPR.”

Luckily, there are solutions. In June 2021, the European Data Protection Board (EDPB) finalized a number of recommendations to guide companies in transferring EU personal data. The EDPB offered three main types of recommendations:

Contractual measures: Legal clauses to be incorporated into contracts about data transfers, including usable contractual language.
Organizational measures: Internal policies and processes around data transfers and transparency.
Technical measures: Suggestions on state-of-the-art encryption technologies, encryption key management policies, and split or multi-party processing (Use Case 5 of the EDPB’s recommendations) that fragments and distributes data.

Below, we’ll explain how ShardSecure can help satisfy the requirements of Use Case 5 and keep companies compliant with Schrems II.

ShardSecure and split or multi-party processing

Use Case 5 of Schrems II involves splitting information into smaller pieces prior to transmission and distributing those pieces across multiple processors, locations, and jurisdictions so that the information cannot be reconstructed. Microshard technology is a split processing technology, and it can be deployed in a multi-party processing environment to meet these Schrems II requirements.

How it works: Our patented technology desensitizes sensitive data at rest for better confidentiality and security through a three-step microsharding process. This process ensures that data at rest is unintelligible and of no value to unauthorized users, including cloud providers and companies outside the European Union.

Microshard containers can also be distributed across multi- and hybrid-cloud environments with different numbers of storage locations and in different jurisdictions. These settings are user-configurable, and control of the data is kept in the hands of the data owner, not the processors.

The result? Organizations can remain in compliance with the Schrems II ruling. To learn more about how ShardSecure can help, take a look at our BrightTALK webinar and white paper on the GDPR and Schrems II compliance.