On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark judgement in the Data Protection Commissioner v Facebook Ireland Limited case — commonly referred to as Schrems II after the primary complainant, Austrian privacy advocate Max Schrems. This case is a follow up to Schrems I, in which the CJEU ruled to invalidate the Safe Harbor arrangement governing data transfers between the EU and the US back in 2015.
In last month’s historic decision, the Court invalidated the EU-US ‘Privacy Shield Framework’, which was aimed at enabling transfers of personal data between Europe and the United States and had come into force in 2016. At the heart of Schrems’ complaint was the fact that the U.S. surveillance laws did not offer adequate protection for the personal data of EU residents. The decision concurred with his outlook and the Privacy Shield was deemed invalid. Importantly, the judgement upheld the validity of standard contractual clauses (SCC’s), which a majority of private companies rely on to transfer their data out of the EU. Having said that, the ruling also clarified that these SCC’s will be vetted on a case-by-case basis, requiring both companies as well as regulators to assess the standard of law and privacy of data in the country to which the data is being transferred and measure whether they meet the standards set by the EU.
With the EU’s GDPR, considered the highest standard for data protection and privacy from around the world, the repercussions of this decision will be felt globally, impacting companies in the U.S. and beyond. In the Indian context, Schrems II might have an adverse impact on the wide range of Indian companies exporting digital services and data to the EU using SCC’s. However, there have been signs of progress on this front, with the recent signing of the India-EU Strategic Partnership Roadmap (2025), which includes a clause on cross-border flows of data, having the potential to act as a significant initial step forward.
On the whole, the fallout of this judgement is fairly ambiguous and it has raised pertinent questions while providing few answers. In an ideal future, Schrems II has the potential to spur a harmonized global data protection framework with solid legal instruments allowing for secure international data transfers. Alternatively, this could be perceived as an unrealistic standard to be adhered to globally and we might see a push towards something resembling the Chinese model of greater data localisation and balkanization. This ruling is an important milestone in the developing conversation around data protection and cross-border transfers, but it is the response of policy makers around the world that will inform how history will remember it.
Gautam Kathuria is a Research and Engagement Associate with The Dialogue and can be reached at gautam@thedialogue.co.
