By Felipe Ruiz | August 06, 2020
Have you heard about Schrems I and Schrems II? If you have, I tell you in advance that in this post we’ll talk about it. If you haven’t, you can discard the possible, sudden idea that this refers to movies.
Last month I received a Matomo’s post that, after reading it, I didn’t understand very well. It was political stuff, and I have to admit that I haven’t had a great relationship with it throughout my career. Then, I decided to look for new information that would allow me to expand my comprehension of what was happening. This writing might help you in a similar way.
The event highlighted in that post, or at least its apex,
occurred on July 16 this year.
That day, the Court of Justice of the European Union (
determined that the EU-US Privacy Shield agreement,
a safeguard used by many companies to transfer personal data
from the European Union to the United States
for commercial purposes, was invalid.
This happened in part because of one man’s enthusiasm.
Let’s get this straight.
Many of us know that in their daily activity, some US companies (and from other places) collect a variety of data on people around the world, including EU countries. What has proved problematic is the collection of more data than is strictly necessary or the unauthorized use of such data. —Immediately comes to (my) mind the incident with Cambridge Analytica (you can watch on Netflix a documentary about this incident).
It was back in 2013 when our main character
(although I said this is not a movie)
appeared with a legal case associated with inappropriate use of data.
We’re talking about Max Schrems, an Austrian privacy rights campaigner,
who challenged the transfer of personal data (his and other EU citizens')
from Facebook to servers in the US.
He did it before the Irish Data Protection Commission (
questioning the validity of the Safe Harbor Agreement
between the US Department of Commerce and the European Union
for the regulation of data transfer.
Then, following the rejection of his complaint by the
Schrems submitted the case to the High Court.
From there, it was referred to the
Finally, in 2015, they considered that the Safe Harbor principles
were invalid and inadequate to protect EU citizens' information.
That ruling was called Schrems I.
It led those who had proposed the Safe Harbor Agreement
to quickly seek an alternative framework for the protection of data in transfer
between the EU and the US.
That’s how the EU-US Privacy Shield came about. It was built to fulfill what the Safe Harbor Agreement did not. Specifically, this new agreement was intended to ensure consistency with EU laws for the use of information that was to come from the EU citizens to the US. However, this 'shield,' according to Shreya Tewari, "was heavily criticised by activists and data protection experts alike for not providing any concrete protection against indiscriminate access to personal data for national security purposes."
It was then that Schrems appeared again
and gave rise to a new legal case (the sequel?), Schrems II.
Here, he was challenging the operation of data transfer agreements
(Standard Contractual Clauses,
with non-EU countries as well as the bilateral agreement
with the US (Privacy Shield).
Like the previous case, this took a considerable amount of time
to reach the members of the
Afterward, some other time had to pass before a determination was made.
In the end, there was no problem with
SCC (to the relief of many businesses),
but as we mentioned above,
the invalidity of this EU-US Privacy Shield was made public.
Once again, the US’s domestic law wasn’t guaranteeing protection
of fundamental rights (mainly personal data privacy)
equivalent to that guaranteed by the EU law.
The Privacy Shield was not configured
to comply with the EU’s General Data Protection Regulation (
especially with regard to using strictly what is necessary.
That agreement that had been used by Facebook
to support their data transfers to the US
"could not guarantee an adequate level of protection for EU personal data
in the event of access by US intelligence agencies."
In fact, requests by these agencies could take priority
over EU personal privacy rights, according to United States security laws.
Just like Tewari tells us, "[with] this ruling,
CJEU] has reiterated its strong commitment
to upholding EU citizens' fundamental right
to have their data processed fairly, with consent and for specified purposes."
Max himself revealed his happiness to noyb about the judgment.
(noyb, broadly speaking, is a group initiated by Schrems
that seeks to enforce the privacy rights of individual users in Europe.)
He also explicitly marked
"that the US will have to seriously change their surveillance laws"
to allow US companies "to continue to play a major role [in] the EU market."
Indeed, Facebook was not the only company affected by the judgment.
"Literally overnight 5,378 US participants were directly impacted,"
shared the Global Legal Post a few days ago.
However, the impact goes further,
and "the decision affects many EU businesses which relied on it
to legalise EU-US data transfers, especially to US service providers."
In line with the statements by John Falzone on ESRB,
many of those companies that have invested time and money
to certifying compliance with the Privacy Shield "did nothing wrong"
but "exactly what they were asked to do."
But what if their mistake
was in subscribing to something they did not know well?
In any case, now, those that depend entirely on that agreement,
purely and simply are violating
Similar to what happened after Schrems I, already after Schrems II, the involved parties in both regions will be looking for a new way forward, based on some reformulations. Nonetheless, contrary to the first case, it appears that there will be no formal grace period for implementing the required changes on this occasion. Besides, other countries, for the collection of data from the EU, will also have to make some adjustments due to their inadequate data protection. Either way, those involved will look for an early solution. Currently, the exception is supposed to be that only crucially 'necessary' transfers will be kept. What does that mean? I don’t know. What I’m clear about is what Omer Tene said: "data will continue to flow across borders."
Nevertheless, Max Schrems has achieved it again.
He first trampled on the 'Harbor' in Schrems I.
Now he’s done it on the 'Shield' in Schrems II.
This is not fiction, as I warned before;
we’re talking about a real fact. Better, a commendable fact.
It encourages more accurate assessments of each party’s surveillance laws
when establishing security arrangements.
Furthermore, an emphasis is placed on the responsibility
that government agencies have to take action.
They must always ensure the enforcement of data protection laws
and security standards, such as
By the way,
GDPR is one of those standards
we have recently synthesized here at
in our product Rules.
Finally, if you want to get more information
on Schrems’s cases, follow this link.
And if you also want some practical advice related to this situation,
you can read the Matomo’s post mentioned at the beginning.
Start with Fluid Attacks
We are a proud corporate member of the OWASP Foundation