Schrems II

The Background#

The case was brought by Austrian privacy advocate Max Schrems against the Irish Data Protection Commissioner, focusing on Facebook's transfers of European user data to the US. The court was asked to consider whether US surveillance law — in particular FISA Section 702 and Executive Order 12333 — meant the US could not offer adequate protection to EU personal data.

On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that the EU-US Privacy Shield framework did not, as a matter of EU law, provide adequate protection. It invalidated the Privacy Shield with immediate effect.

What Schrems II Did Not Strike Down#

The judgement preserved Standard Contractual Clauses (SCCs) as a valid transfer mechanism — but with an important caveat. SCCs can only be relied on where the exporter has assessed the law and practice of the destination country and concluded that the recipient can in fact comply with the clauses.

Where the assessment shows the recipient cannot comply — for example because the destination country has surveillance laws that allow government access without effective redress — the exporter must apply supplementary measures or suspend the transfer.

Transfer Impact Assessment#

A TIA is a documented exercise that asks: given the law and practice of the destination country, can the recipient actually deliver on the SCC commitments? It typically covers:

• Destination country surveillance law and whether it meets the EU's 'essential equivalence' standard.
• Practical risk — is the data of a type that is likely to attract government access?
• Existence of redress mechanisms for EU data subjects in the destination country.
• Technical safeguards in place — encryption, pseudonymisation, fragmentation.
• Contractual and organisational safeguards — challenge-orders policy, transparency reporting.

Supplementary Measures#

Where the TIA shows the destination country's law is insufficient, the exporter must apply supplementary measures. The EDPB has published guidance distinguishing measures that are effective from those that are not:

The EU-US Data Privacy Framework (DPF)#

In July 2023, the European Commission adopted a new adequacy decision — the EU-US Data Privacy Framework — replacing the Privacy Shield. The DPF rests on Executive Order 14086, which limits US signals intelligence to what is necessary and proportionate, and creates a Data Protection Review Court for EU-citizen redress.

Transfers to US organisations certified under the DPF can again rely on the adequacy decision rather than SCCs + TIA. However, Schrems himself and others have signalled legal challenges, and the durability of the DPF in case of a third Schrems judgement remains uncertain.

Practical Implications for Cloud Buyers#

• Check whether your cloud provider is certified under the DPF; if yes, transfers are simpler.
• If not, expect to sign SCCs and to be asked for a TIA.
• Hold encryption keys in the EU or UK where possible — this is the cleanest supplementary measure.
• Maintain a documented TIA per major data-flow; regulators ask for it.
• Watch the DPF litigation; have a fallback transfer plan in case it is invalidated.

Where Yobitel Sits#

Yobitel data flows for EU and UK customers default to regional residency — data does not leave the UK or EU without an explicit customer instruction. Where customers do require cross-border data flows, we maintain SCC templates, TIA documentation, and customer-managed key escrow as standard.