Schrems II hub: every development in the saga
GDR tracks the post-Schrems developments that you need to know. Last updated 22 May.
A lot has happened since the Schrems II decision in mid-July 2020. The future of international data transfers is up in the air, and it’s hard to keep up with every development – whether that’s announcements by regulators, positions taken by big tech companies, or debates in European Parliament.
Below you’ll find details of all the reactions and responses to the landmark decision – and analysis of how they might shape the future of international data flows. It’s in reverse chronological order, and will be constantly updated as things change. We believe there is no other resource like it.
Ireland's High Court refused to block an investigation of Facebook’s EU-US data transfers.
Microsoft will let its commercial and public sector customers store all of their data in the EU from 2023, in what appears to be the first concrete response of a major cloud provider to the Schrems II ruling.
Austria’s data protection authority heard submissions from Google and Max Schrems’s activist group over data transfers to the US – in enforcement that Schrems suggested could be worth billions.
Portugal’s data watchdog ordered a public body to immediately stop transfers to popular US-based web infrastructure company Cloudflare – but Cloudflare said the regulator got its facts wrong.
The European Data Protection Board urged EU national governments to review international agreements in areas as diverse as tax and police cooperation to check for clashes with the GDPR and the Schrems II judgment.
Senior EU and US officials upped their efforts to create a new EU-US Privacy Shield, but Max Schrems told GDR he’ll challenge a replacement if he considers it inadequate.
A Mailchimp customer dropped the service after intervention by a German data regulator over concerns the popular email platform may be subject to US surveillance laws.
Schrems II enforcement process begins in Germany – 19 February
German data protection authorities collectively decided how to interrogate companies on their compliance with the new data transfer rules mandated by the Schrems II ruling.
New SCCs expected by March – 27 January
The European Commission’s international data flows and protection chief said said the highly-anticipated new standard contractual clauses should be in place by March 2021.
Jelinek and Wiewiórowski call for SCC improvements – 18 January
The EU’s most senior data protection regulators urged the European Commission to improve its new proposed standard contractual clauses for international data transfers.
UK companies could pay billions if adequacy not secured – 24 November
Companies of all sizes will incur significant costs if the UK fails to obtain an EU adequacy decision, according to new research. The UK's adequacy woes have been complicated considerably by the Schrems II judgment.
New SCCs to impose raft of costly new obligations – 13 November
The EU’s updated standard contractual clauses (SCCs) will impose onerous new obligations on international data transfers, and might affect the economics of receiving SCC-transferred information.
The European Data Protection Board released highly-anticipated guidance on data transfer precautions – which appears to rule out the use of many cloud services.
An Irish judge ordered Ireland’s Data Protection Commission to cover costs Max Schrems incurred in the Schrems II European Court of Justice case – but acknowledged that her decision will place a “very heavy financial burden” on the cash-strapped regulator.
EDPS warns EU bodies: no new transfers to US – 2 November
As part of its response to the Schrems II ruling, the European Data Protection Supervisor warned the EU institutions it regulates not to set up any new transfers to the US. The move may prompt a wider European position on international data flows.
Andrea Jelinek and Wojciech Wiewiórowski, the heads of the European Data Protection Board and the European Data Protection Supervisor respectively, revealed some aspects of their plans to deal with the fallout from the Schrems II decision.
A French administrative judge refused to order France’s health database to stop processing personal information on Microsoft’s cloud, despite Schrems II-driven fears that US intelligence could access it – but France may nonetheless take the data away from Microsoft.
EU-US gap widens over post-Schrems surveillance – 2 October
The US and EU seem further than ever from an agreement on how to solve data flows to the US, as two influential pressure groups called for wholesale US surveillance reform days after the US attempted to assuage companies’ fears about the country’s privacy regime.
Schrems II parties fight over who won – 1 October
In a court hearing over who should pay costs for the European Court of Justice case, both Schrems and the Irish Data Protection Commission appeared to claim they had won the case and so should not be required to pay costs. Facebook also said it should not be required to pay costs. Justice Caroline Costello, who presided over the High Court trial, reserved her judgment.
Israel blocks Privacy Shield transfers – 30 September
EU-adequate Israel followed the European Court of Justice’s lead in stopping companies from using the Privacy Shield mechanism from transferring data to the US.
Noyb reveals major companies’ responses to Schrems II – 28 September
In response to questions from Max Schrems’s NGO Noyb, 33 prominent companies revealed how legal departments are responding to the Schrems II judgment – with many organisations leaning heavily on standard contractual clauses.
Data transfer ban may shut down Facebook EU services – 22 September
In one of the most headline-grabbing developments since the judgment, Facebook’s head of data protection and privacy said in a submission to the Irish High Court that it is “not clear” how Facebook could provide services in the EU if transfers are banned.
Facebook SCC Irish investigation under fire from both sides – 15 September
Both Max Schrems and Facebook slammed the Irish Data Protection Commission’s decision to open a fresh investigation of Facebook’s use of standard contractual clauses (SCCs) to transfer data to the US. The Irish High Court allowed Facebook to bring a judicial review against the regulator over the decision, while Schrems said he had “zero trust” in the DPC.
First shots fired in Schrems II Irish battle – 10 September
Ireland’s data watchdog opened a new investigation into Facebook’s use of standard contractual clauses, leading to accusations from Max Schrems that the regulator breached a court order in doing so.
Swiss Privacy Shield deemed inadequate – 8 September
Switzerland’s data protection authority found that the US-Swiss Privacy Shield is not up to scratch. The US-Swiss Privacy Shield is similar to the EU-US mechanism felled in mid-July. The Swiss federal data regulator said Switzerland’s equivalent mechanism is no longer adequate under Swiss data protection law.
Convention 108+ mooted as Schrems solution – 7 September
Council of Europe officials suggested the influential Convention 108+ could solve the international data transfer problems created by the judgment. Alessandra Pierucci, chair of the Convention 108 committee and Jean-Philippe Walter, data protection commissioner of the Council of Europe, argued that Convention 108+ is the best instrument to facilitate international data transfers.
European taskforce launched over Schrems II complaints – 4 September
The European Data Protection Board launched a taskforce to investigate 101 identical complaints that Max Schrems’ non-profit Noyb filed with 30 data protection authorities across the EU. Noyb urged regulators to take action against companies’ use of Google Analytics and Facebook Connect to transfer data to the US, claiming the transfers violate the standards set out in the judgment.
Reynders: Updated SCCs coming this year – 3 September
Providing evidence to the European Parliament Committee on Civil Liberties, Justice and Home Affairs, European Commissioner for Justice Didier Reynders said that new Schrems-proof standard contractual clauses should be finalised this year.
Schrems II probes start in Finland – 25 August
Finland’s data protection authority contacted several of the world’s largest technology companies – including Amazon Web Services, Microsoft and IBM – to get information about their response to the landmark decision. The regulator asked the companies what mechanism they use to transfer data to the US and what changes they have made since the decision.
Schrems’ filed 101 complaints to data protection authorities across Europe in an attempt to force regulators to enforce the ruling. His NGO Noyb filed the complaints in all 30 EU and European Economic Area countries, after analysing the source code of major EU websites.
Regulators press on with data transfer efforts – 17 August
The European Data Protection Board published a series of opinions on applications by national data regulators for requirements for codes of conduct and certification schemes that can ease international transfers.
Third time lucky for EU/US data transfer deal? – 11 August
The EU and US started discussions for an “enhanced” Privacy Shield that would comply with Schrems II, but experts fear that such a deal would undermine GDPR rights if the US refuses to curtail its surveillance practices.
TikTok to store European data locally – 6 August
Controversial app TikTok announced plans to store European data locally in the wake of the judgment. TikTok’s chief information security officer Roland Cloutier said that the company will open its first European data centre, which will be in Ireland, by 2022.
Exclusive GDR research and analysis found that understaffed and under-resourced European data protection authorities are likely to struggle with the new responsibilities handed to them by the Schrems II decision.
GDR exclusively reported that Amazon Web Services – the world’s largest cloud computing company – will continue to use standard contractual clauses to transfer data to the US. A company spokesperson confirmed the position, saying customers can “continue to rely” on standard contractual clauses if they transfer data outside the EU.
Just days after the decision, the shockwave of the ruling became immediately apparent, as the Berlin data protection authority suggested that EU companies should move their data from the US to Europe – and that data transfers to the US using standard contractual clauses (SCCs) cannot continue.
A senior Microsoft lawyer insisted that the ruling does not affect the company’s ability to legally transfer data to the US using standard contractual clauses. Microsoft chief privacy officer Julie Brill assured the company’s commercial customers that the ruling “does not change your ability to transfer data today between the EU and US using the Microsoft cloud”.
GDR’s report on the day of the decision predicted data transfer “chaos and confusion”. That now seems to be a prescient turn of phrase, given the many complex developments – few of which have provided any new clarity – that have taken place since July.
Copyright © Law Business ResearchCompany Number: 03281866 VAT: GB 160 7529 10