Term: Schrems II

Schrems II refers to the 2020 legal case (Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) in which the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield framework for transatlantic data transfers. This case is named after Max Schrems, an Austrian privacy activist who initiated the legal proceedings.

Key Points about the Schrems II case

– Invalidated the EU-US Privacy Shield framework for data transfers
– Raised concerns about US surveillance laws and their impact on EU citizens’ privacy
– Emphasized the need for stronger safeguards in international data transfers

Historical Context

Safe Harbor Agreement (2000-2015)

– Initial framework for EU-US data transfers
– Challenged by Max Schrems in 2013 (Schrems I case)
– Invalidated by the CJEU in October 2015

EU-US Privacy Shield (2016-2020)

– Replaced Safe Harbor following Schrems I decision
– Designed to provide stronger protections for transatlantic data flows
– Invalidated by the CJEU in July 2020 (Schrems II decision)

EU-US Data Privacy Framework (2023-present)

– Introduced in response to Schrems II decision
– Includes enhanced safeguards and a new Data Protection Review Court
– Facing potential legal challenges from privacy advocates

Impact of Schrems II

1. Legal Uncertainty: Created significant challenges for businesses relying on EU-US data transfers
2. Alternative Mechanisms: Increased focus on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs)
3. Compliance Burden: Necessitated reassessment of data transfer practices and implementation of additional safeguards

Key Figure: Max Schrems

– Austrian privacy activist and lawyer
– Initiated the original complaint against Facebook in 2013
– Founded NOYB (None Of Your Business), a non-profit organization focused on strategic litigation in privacy cases
– Instrumental in challenging both Safe Harbor and Privacy Shield frameworks