Schrems II hub: every development in the saga

GDR tracks the post-Schrems developments that you need to know. Last updated 14 October. 

A lot has happened since the Schrems II decision in mid-July. The future of international data transfers is up in the air, and it’s hard to keep up with every development – whether that’s announcements by regulators, positions taken by big tech companies, or debates in European Parliament.

Below you’ll find details of all the reactions and responses to the landmark decision – and analysis of how they might shape the future of international data flows. It’s in reverse chronological order, and will be constantly updated as things change. We believe there is no other resource like it.

Microsoft to continue hosting French health data – for now14 October

A French administrative judge refused to order France’s health database to stop processing personal information on Microsoft’s cloud, despite Schrems II-driven fears that US intelligence could access it – but France may nonetheless take the data away from Microsoft.

EU-US gap widens over post-Schrems surveillance2 October

The US and EU seem further than ever from an agreement on how to solve data flows to the US, as two influential pressure groups called for wholesale US surveillance reform days after the US attempted to assuage companies’ fears about the country’s privacy regime.

Schrems II parties fight over who won1 October

In a court hearing over who should pay costs for the European Court of Justice case, both Schrems and the Irish Data Protection Commission appeared to claim they had won the case and so should not be required to pay costs. Facebook also said it should not be required to pay costs. Justice Caroline Costello, who presided over the High Court trial, reserved her judgment. 

Israel blocks Privacy Shield transfers30 September 

EU-adequate Israel followed the European Court of Justice’s lead in stopping companies from using the Privacy Shield mechanism from transferring data to the US.

Noyb reveals major companies’ responses to Schrems II28 September

In response to questions from Max Schrems’s NGO Noyb, 33 prominent companies revealed how legal departments are responding to the Schrems II judgment – with many organisations leaning heavily on standard contractual clauses.

Data transfer ban may shut down Facebook EU services22 September

In one of the most headline-grabbing developments since the judgment, Facebook’s head of data protection and privacy said in a submission to the Irish High Court that it is “not clear” how Facebook could provide services in the EU if transfers are banned. 

Facebook SCC Irish investigation under fire from both sides15 September 

Both Max Schrems and Facebook slammed the Irish Data Protection Commission’s decision to open a fresh investigation of Facebook’s use of standard contractual clauses (SCCs) to transfer data to the US. The Irish High Court allowed Facebook to bring a judicial review against the regulator over the decision, while Schrems said he had “zero trust” in the DPC. 

First shots fired in Schrems II Irish battle10 September

Ireland’s data watchdog opened a new investigation into Facebook’s use of standard contractual clauses, leading to accusations from Max Schrems that the regulator breached a court order in doing so.

Swiss Privacy Shield deemed inadequate8 September 

Switzerland’s data protection authority found that the US-Swiss Privacy Shield is not up to scratch. The US-Swiss Privacy Shield is similar to the EU-US mechanism felled in mid-July. The Swiss federal data regulator said Switzerland’s equivalent mechanism is no longer adequate under Swiss data protection law. 

Convention 108+ mooted as Schrems solution7 September 

Council of Europe officials suggested the influential Convention 108+ could solve the international data transfer problems created by the judgment. Alessandra Pierucci, chair of the Convention 108 committee and Jean-Philippe Walter, data protection commissioner of the Council of Europe, argued that Convention 108+ is the best instrument to facilitate international data transfers.

European taskforce launched over Schrems II complaints4 September 

The European Data Protection Board launched a taskforce to investigate 101 identical complaints that Max Schrems’ non-profit Noyb filed with 30 data protection authorities across the EU. Noyb urged regulators to take action against companies’ use of Google Analytics and Facebook Connect to transfer data to the US, claiming the transfers violate the standards set out in the judgment. 

Reynders: Updated SCCs coming this year3 September

Providing evidence to the European Parliament Committee on Civil Liberties, Justice and Home Affairs, European Commissioner for Justice Didier Reynders said that new Schrems-proof standard contractual clauses should be finalised this year.

Schrems II probes start in Finland25 August

Finland’s data protection authority contacted several of the world’s largest technology companies – including Amazon Web Services, Microsoft and IBM – to get information about their response to the landmark decision. The regulator asked the companies what mechanism they use to transfer data to the US and what changes they have made since the decision.

Schrems attempts to kickstart data transfer enforcement18 August

Schrems’ filed 101 complaints to data protection authorities across Europe in an attempt to force regulators to enforce the ruling. His NGO Noyb filed the complaints in all 30 EU and European Economic Area countries, after analysing the source code of major EU websites. 

Regulators press on with data transfer efforts17 August

The European Data Protection Board published a series of opinions on applications by national data regulators for requirements for codes of conduct and certification schemes that can ease international transfers. 

Third time lucky for EU/US data transfer deal?11 August

The EU and US started discussions for an “enhanced” Privacy Shield that would comply with Schrems II, but experts fear that such a deal would undermine GDPR rights if the US refuses to curtail its surveillance practices.

TikTok to store European data locally6 August

Controversial app TikTok announced plans to store European data locally in the wake of the judgment. TikTok’s chief information security officer Roland Cloutier said that the company will open its first European data centre, which will be in Ireland, by 2022. 

GDR analysis: European regulators buckling under Schrems pressure6 August

Exclusive GDR research and analysis found that understaffed and under-resourced European data protection authorities are likely to struggle with the new responsibilities handed to them by the Schrems II decision. 

Exclusive: Amazon to continue using SCCs for US data transfer20 July

GDR exclusively reported that Amazon Web Services – the world’s largest cloud computing company – will continue to use standard contractual clauses to transfer data to the US. A company spokesperson confirmed the position, saying customers can “continue to rely” on standard contractual clauses if they transfer data outside the EU. 

Berlin data commissioner takes hardline Schrems position20 July

Just days after the decision, the shockwave of the ruling became immediately apparent, as the Berlin data protection authority suggested that EU companies should move their data from the US to Europe – and that data transfers to the US using standard contractual clauses (SCCs) cannot continue.

Microsoft to continue using SCCs despite Schrems II17 July

A senior Microsoft lawyer insisted that the ruling does not affect the company’s ability to legally transfer data to the US using standard contractual clauses. Microsoft chief privacy officer Julie Brill assured the company’s commercial customers that the ruling “does not change your ability to transfer data today between the EU and US using the Microsoft cloud”.

Schrems II sparks data transfer chaos and confusion16 July

GDR’s report on the day of the decision predicted data transfer “chaos and confusion”. That now seems to be a prescient turn of phrase, given the many complex developments – few of which have provided any new clarity – that have taken place since July.


Get unlimited access to all Global Data Review content