Data Transfer Between US and EU- Analysis of the Schrems II Judgement and the Way Forward.

Ayushi Modi

Cross Border Transfer of information is pivotal for the global economy. The protection of such transfer is critical to ensure no data leaks or breaches occur when data is being transferred across international boundaries. EU is amongst the first territories to employ a vast and stringent data protection legislation to ensure there are no data breaches in their member states. Article 44 of GDPR[1] prohibits the transfer of data beyond EU/EEA, unless the recipient country provides for an adequate data protection solution (Article 45)[2]. Under Article 49 of GDPR[3], there are prescribed ‘derogations for situations’ that specify the need to adopt certain safeguards which are deemed adequate as per the protection standards of the GDPR.

European Commission (EC) has prescribed methods which are considered adequate to ensure protection of data in a cross-border transfer. However, Austrian activist and lawyer, Max Schrems in the year 2015, challenged the validity of one such method, the Safe Harbor Agreements, which was extensively adopted by Facebook for transfer of data.[4] Initially referred to the Irish Data Protection Commission and subsequently to the Court of Justice of the European Union (“CJEU”), the Safe Harbor Agreements were rendered invalid due to lack of adequate protection.

With the Safe Harbor invalidation, other methods such as Standard Contract Clauses (SCC), Privacy Shield and Binding Corporate Rules, were put under scrutiny. With the peaked interest of CJEU, the Court was once again consulted to refine the adoption and validation of these methods further, leading to the Schrems II judgement[5].

  • Challenges placed before the ‘European Court of Justice’- Schrems II
    • Max Schrems challenged the validity of the SCC’s adoption as a framework for the transferring of data from the EU to US before the CJEU, under the same grounds as Schrems I Caselaw[6] which specified the lack of regulation around data protection in the US and it not being binding on the US Government authorities.
    • He questioned the validity of the Privacy shield around the compliance of EU data protection safeguards.
  • Rulings under the Schrems II Judgement
    • Validity of SCC
      • The Court dismissed the invalidity of the SCC’s not providing for adequate framework to safeguarding of data.
      • However, they recognized the need for extra measures to be adopted by the companies and individuals to ensure the protection of their data, when transferred in countries without adequate safeguards for data protection. They stated that there should be additional frameworks to be adopted over and above the implementation of SCC’s for adequate safeguards as per the EU laws.
      • The court in this regard also stated that the non-compliance of the SCC’s or the inability of the recipient for such compliance would result in the termination of the contract or suspension of such transfers of data upon their verification.
    • Validity of Privacy Shield
      • The Court examined the validity of the Privacy Shield Framework and declared it Invalid.
      • The Court ruled that the limitations on the protection of personal data, arising from the US Laws on the access and use of such transferred data by U.S. public authorities, are not restricted in the way that are required under the EU laws.
      • It also stated that the Privacy Shield does not grant EU individuals actionable rights against the organizations, as is required under the EU laws.
      • The surveillance programs in the US which are commissioned by the Privacy shield, are not in compliance with the regulations of GDPR. (Article 52 of GDPR)

With the judgement, the transfer of data among EU and Non-EU countries, became dependent on the validity and compliance of the SCC’s. Thus, on 4 June 2021, pursuant to releasing draft clauses on a new set of SCC’s which was open to public feedback, the “European Commission released a modernized standard contractual clause set under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR)”.[7]

  • Analysis of the New SCC’s
    • The new SCC’s now facilitate the following transactions along with the transactions covered under the old SCC Framework making it a modular approach by addressing different complexities in data transfer:
      • Processor-to-processor transfers.
      • Processor-to-controller transfers.
    • The new SCC’s allows the position of a sub processor for the first time. Such sub processor can be used pursuant to the authorization of the data exporter.
    • “The new SCCs also provide a mechanism for additional parties to assume a position in the clauses as data exporter or data importer.”[8]
    • Upon the transfer of data to any third country, the onus of ensuring an adequate level of protection and employment of supplement measures for such protection, is placed on the data exporter and importer.[9] The parties are prescribed to adopt a risk-based approach for such assurance.
    • Clauses for the exercising of Data Audits upon the controller’s request, at reasonable intervals or upon non-compliance, has been included in the new SCC’s. Such audit can be done by the controller or by employing an independent auditor.
    • “Importantly for US businesses, the New SCCs also contemplate use by non-EU established data exporters to the extent the processing is subject to the GDPR pursuant to the extraterritorial reach of GDPR Article 3(2).”[10]
    • Three new Annexes are prescribed to specify the different arrangements of data exports.
  • The Way forward for Companies
    • Due to dismissing the validity of the Privacy Shield, the employment of the SCC’s would be widely adopted as a safety measure for transfer of data in compliance with GDPR objectives.
    • The companies currently employing the old SCC’s have been provided with a transition period of 18 months (from June 2021). Post the transition period, all companies would have to comply with the implantation of the new set of SCC’s.
    • The companies will need to place a mechanism of supplementary measures along with the SCC’s when transferring the data to third countries which do not have adequate and stringent data protection laws in regulation.
  • Pertinence to India
    • India, being a third country (other than EU/EEA) and not on the adequate country list[11], will have to comply with providing an additional level of protection for any data received. “The DPA in a EU/EEA country where an entity looking to transfer personal data is located can authorize a transfer to India if such entity adduces adequate safeguards for data protection. One way this can happen is if such EU/EEA entity enters into a contract with an entity in India and that contract has appropriate contractual clauses relating to data protection and the DPA has accepted these clauses.”[12]
    • The new SCC’s lay substantial responsibilities on data importers, especially to importers also appearing as controllers. Thus, Indian companies in contracts for data transfer, would be required to update their contractual obligations and comply with all additional protection requirements under GDPR.


[1] Article 44 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

[2] Article 45 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

[3] Article 49 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

[4] Schrems v Data Protection Commissioner, C-362/14, [2016] QB 527, [2016] 2 WLR 873, [2015] All ER (D) 34 (Oct), C-362/14.

[5] Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C 311/18) <http://curia.europa.eu/juris/document/document.jsf?text=&docid=204046&pageIndex=0&doclang=EN&mode=ls&dir=&occ=first&part=1&cid=6462885> accessed 3 December 2020.

[6] Schrems v Data Protection Commissioner (see n 4).

[7] European Commission, ‘Standard Contractual Clauses (SCC)’ <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en>  accessed 7 July 2021.

[8] Data Protection Commissioner v Facebook Ireland Limited (See n 5).

[9]Ibid.

[10] Carol A. F. Umhoefer and Andrew Serwin, ‘European Commission’s standard contractual clauses: extensive new requirements coming for US businesses receiving EU personal data subject to GDPR’ DLA Piper (8 June 2021) <https://www.dlapiper.com/en/us/insights/publications/2021/06/european-commissions-standard-contractual-clauses-extensive-new-requirements/> accessed 13 July 2021.

[11] ‘EU Data Protection Directive FAQs’ DSCI <https://www.dsci.in/content/eu-data-protection-directive-faqs > accessed 13 July 2021.

[12] Ibid.