We have prepared this guide primarily to help people locate legal resources relevant to understanding the issues raised by the Schrems II case. It will also be helpful to those interested in other cross-border issues at the intersection of technology, privacy, and security.

This is a living guide; we will endeavor to keep it up to date, and welcome suggestions for additions or other changes.

European Union

The Schrems Cases
  1. Schrems I (2015)
    On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce.” As a result of that decision, the U.S.-EU Safe Harbor Framework is not a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This is a link to the Safe Harbor agreement that was invalidated by Schrems I. 
  2. Schrems II (2020)
    The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 and allowed the free transfer of data to companies certified in the US under the Privacy Shield. In its judgment of 16 July 2020 (Case C-311/18), the Court of Justice of the European Union invalidated the adequacy decision. The EU-US Privacy Shield is therefore no longer a valid mechanism to transfer personal data from the European Union to the United States.

Other Relevant CJEU Cases

The Court of Justice of the European Union (CJEU) has issued several judgements on whether EU Law prohibits measures requiring providers of electronic communications services to share or retain communications data for national security or law enforcement purposes:

  1. Commissioner of An Garda Síochána and others (2022)
  2. La Quadrature du Net and others (2020)
  3. Privacy International and Others v. the United Kingdom (2020)
  4. Digital Rights Ireland Ltd vs. Minister for Communications (2014)
Relevant EU Legal Instruments
  1. General Data Protection Regulation (“GDPR”). Schrems II involved the application of the cross-border transfer provisions of GDPR.
  2. EU Charter of Fundamental Rights. The Schrems II court based its decision in large part on the EU Charter of Fundamental Rights. In particular, the Schrems II court highlighted the following articles of the Charter: 
  3. Treaty on European Union. The Schrems II court referred to Article 4(2) of the Treaty on European Union, which states: “The Union shall respect the equality of Member States before the Treaties as well as their national identities, inherent in their fundamental structures, political and constitutional, inclusive of regional and local self-government. It shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.” The consolidated version of the treaty is available here.

Relevant EU Entities
  1. Court of Justice of the European Union (CJEU). The (CJEU) interprets EU law to make sure it is applied in the same way in all EU countries, and settles legal disputes between national governments and EU institutions.
  2. European Data Protection Board (EDPB). The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPB is established by the General Data Protection Regulation (GDPR), and is based in Brussels.
  3. National Supervisory/Data Protection Authorities. The EDPB is composed of representatives of the EU national data protection authorities, and the European Data Protection Supervisor (EDPS). The supervisory authorities of the EFTA EEA States (IS, LI, NO) are also members with regard to the GDPR related matters and without the right to vote and being elected as chair or deputy chairs. 
  4. European Commission. The Commission helps to shape the EU’s overall strategy, proposes new EU laws and policies, monitors their implementation and manages the EU budget. It also plays a significant role in supporting international development and delivering aid.
  5. International Data Flows and Protection Unit of the Directorate-General for Justice and Consumers. The International Data Flows and Protection Unit of the Directorate-General for Justice and Consumers is the organization that leads the adequacy process under GDPR. This is the organization chart for the Directorate-General for Justice and Consumers.
EU Adequacy Decisions (Listed in reverse chronological order)
  1. Adequacy Decision for Privacy Shield (invalidated by Schrems II)
  2. The European Commission has so far recognized as providing adequate protection:
European Court of Human Rights
  1. Legal Instruments
    • European Convention on Human Rights. The Convention for the Protection of Human Rights and Fundamental Freedoms, better known as the European Convention on Human Rights, was opened for signature in Rome on 4 November 1950 and came into force on 3 September 1953. It was the first instrument to give effect to certain of the rights stated in the Universal Declaration of Human Rights and make them binding. Among other things, it established the European Court of Human Rights (ECtHR), which has issued rulings governing the applicability of the Convention’s privacy right to national security activities.
  2. European Court of Human Rights Cases
    • Case of Klass and Others v. Germany (1978). In this case, the applicants, five German lawyers, complained in particular about legislation in Germany empowering the authorities to monitor their correspondence and telephone communications without obliging the authorities to inform them subsequently of the measures taken against them. The European Court of Human Rights held that there had been no violation of Article 8 of the European Convention on Human Rights, finding that the German legislature was justified to consider the interference resulting from the contested legislation with the exercise of the right guaranteed by Article 8 as being necessary in a democratic society in the interests of national security and for the prevention of disorder or crime.
    • Case of Kennedy v. The United Kingdom (2010). The Court stated that based on the principle of effective protection by the Convention’s system, an individual might – under certain conditions to be determined in each case – claim to be the victim of a violation as a result of the mere existence of secret measures, even if they were not applied to him.
    • Roman Zakharov v. Russia (2015). The Court found the domestic legal provisions governing the interception of communications did not provide adequate and effective guarantees against arbitrariness and the risk of abuse. The domestic law did not meet the “quality of law” requirement and was incapable of keeping the “interference” to what was “necessary in a democratic society”.
    • Szabó and Vissy v. Hungary (2016). The case concerned Hungarian legislation on secret anti-terrorist surveillance introduced in 2011.
    • Big Brother Watch and Others v. the United Kingdom (2021). The case concerned complaints by journalists and human-rights organisations in regard to three different surveillance regimes: (1) the bulk interception of communications; (2) the receipt of intercept material from foreign governments and intelligence agencies; (3) the obtaining of communications data from communication service providers.
    • Centrum För Rättvisa v. Sweden (2021). The case concerned the alleged risk that the applicant foundation’s communications had been or would be intercepted and examined by way of signals intelligence, as it communicated on a daily basis with individuals, organisations and companies in Sweden and abroad by email, telephone and fax, often on sensitive matters.
    • Ekimdzhiev and Others v. Bulgaria (2022). The case concerned secret surveillance and the system of retention and subsequent accessing of communications data in Bulgaria
  1. Official Statements and Reports

Enforcement Decisions
  1. DPC publishes statistical report on handling of cross-border complaints under GDPR’s One-Stop-Shop (OSS). The Irish Data Protection Commission (DPC) has today published a statistical report on the DPC’s handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) mechanism.
  2. Austrian DPA’s Google Analytics Decision Could Have “Far-Reaching Implications”, IAPP (Jan. 20, 2022). The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications.” The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers.
  3. EDPS Issues Decision on EU Parliament’s Cookie Violations, Hunton Andrews Kurth LLP (Jan. 19, 2022). On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a decision against the European Parliament (“EP”). The case resulted from a complaint submitted by certain Members of the European Parliament (“MEPs”) who alleged that the Parliament’s use of cookies violated data protection law, including requirements regarding the transfer of personal data outside of the EU. 
  4. EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity, EDPS (Jan. 10, 2022). On 3 January 2022, the EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). This Decision concludes the EDPS’ inquiry launched in 2019.
  5. Belgian Council of State Considers Encryption a Sufficient Measure for U.S. Data Transfers, Hunton Andrews Kurth LLP (Sept. 9, 2021). In its decision of August 19, 2021, the Belgian Council of State took the position that the use of U.S. cloud services in and of itself does not violate the GDPR. In reaching its decision, the Council of State took into account the Guidelines issued by the European Data Protection Board on supplementary measures and an opinion issued by the Flemish Supervisory Commission, and concluded that encryption is a valid supplementary measure to transfer data to the U.S. in certain circumstances, including where the encryption keys are kept under the full control of the data controller.
  6. Hamburg DPA warns regional Senate to discontinue video service use over data transfers, IAPP (Aug. 16, 2021). The Hamburg Commissioner for Data Protection and Freedom of Information warned the regional Senate Chancellery to stop using Zoom, citing “insufficient protection” of data transmitted to the U.S.
  7. The EDPS opens two investigations following the “Schrems II” Judgement, EDPS (May 27, 2021). The EDPS launched two investigations today, one regarding the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies (EUIs) and one regarding the use of Microsoft Office 365 by the European Commission.
  8. High Court hands Irish DPC victory in Facebook data transfers case, IAPP (May 14, 2021). The Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission regarding data transfers from the EU to the U.S. A win for the Irish DPC, the court decision opens up the possibility that Facebook would eventually have to halt personal data transfers from the EU to the U.S.
  9. Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA, European Data Protection Board (Apr. 28, 2021). The Portuguese Data Protection Authority (CNPD) ordered INE (National Institute for Statistics) to suspend the sending of personal data from the Census 2021 to the United States.
  10. Bavarian DPA (BayLDA) calls for German company to cease the use of ‘Mailchimp’ tool, European Data Protection Board (Mar. 30, 2021). In this decision, the Bavarian DPA requested that a German company refrain from using Mailchimp to send its newsletter because Mailchimp could be subject to US surveillance laws.
  11. Why this French court decision has far-reaching consequences for many businesses, IAPP (Mar. 15, 2021). The Conseil d’Etat — France’s highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities.

United States

Official Descriptions

The U.S. legal framework governing national security activities is extensive and complicated. It is a system of many layers with many players. A good starting point for understanding the relevant aspects of that framework is U.S. government submissions.  

  1. The European Commission included U.S. government descriptions of the U.S. legal framework in annexes to the Privacy Shield adequacy decision. Annexes VI and VII describe the national security legal framework:
  2. The U.S. government recently issued a white paper in response to the Schrems II ruling: Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II
  3. U.S. Government submission in Schrems I case.
General Reference Guides
  1. Guide to Posted Documents (intel.gov).  This is a comprehensive guide to key legal documents that comprise the national security legal framework, with a particular focus on FISA Section 702, Executive Order 12333, United States Intelligence Activities, and Presidential Policy Directive-28, Signals Intelligence Activities. It includes links to the latest documents released by the U.S. Government relating to those authorities, such as Section 702 targeting, minimization, and querying procedures, compliance assessments, statistical transparency reports, and policies implementing protections under PPD-28.
  2. IC on the Record. The ODNI established IC on the Record as the platform for releasing documents relating to the IC’s surveillance authorities.
  3. IC on the Record Database Query Tool. This tool allows users to conduct full text searches of documents posted on IC on the Record.
  4. Intelligence Community Legal Reference Book.   This is a comprehensive compilation of relevant statutes, executive orders, and related legal instruments that are relevant to the U.S. national security legal framework, including FISA, the National Security Act of 1947, and the Freedom of Information Act. It is current as of 2020.
  5. Georgetown University Foreign Intelligence Law Collection. The collection includes foreign intelligence-related statutory and regulatory instruments; the legislative histories for statutory changes to the Foreign Intelligence Surveillance Act (FISA); publicly available and declassified opinions and orders issued by the Foreign Intelligence Surveillance Court (FISC) and Foreign Intelligence Surveillance Court of Review (FISCR); FISA-related cases in non-specialized Article III courts; statutorily-required reports on the operation of FISA and formal correspondence between FISC and Congress; FISC/FISCR Rules of Procedure; and an annotated bibliography of secondary sources related to FISA, FISC/FISCR, and foreign intelligence law.
Specific U.S. Legal Authorities

The Schrems II decision focused in particular on Section 702 of the Foreign Intelligence Surveillance Act (FISA), Executive Order 12333, and PPD-28. A helpful source for the latest official releases of documents that relate to those authorities is the Guide to Posted Documents. For ease of reference, we have included below some relevant highlights;

  1. FISA Section 702
  2. Executive Order 12333
  3. Presidential Policy Directive-28

New Trans-Atlantic Data Privacy Framework (2022)

Official Statements
  1. EDPB, Statement 01/2022 on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework, April 6, 2022
  2. The White House, Remarks by President Biden and European Commission President Ursula von der Leyen in Joint Press Statement, March 25, 2022. United States President Joe Biden announces plans to enhance the Privacy Shield Framework.
  3. The White House, United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework, March 25, 2022. Joint statement by United States and European Commission discussing the new Trans-Atlantic Data Privacy Framework.
  4. The White House, FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework, March 25, 2022. Description of what the new Trans-Atlantic Data Privacy Framework will entail.
  5. European Commission, Statement by President von der Leyen with US President Biden, March 25, 2022. European Commission President Ursula von der Leyen announces new data privacy framework between the European Union and United States.
  6. European Commission, European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework, March 25, 2022. Joint statement by European Commission and United States discussing the new Trans-Atlantic Data Privacy Framework.
  7. European Commission, Trans-Atlantic Data Privacy Framework, March 25, 2022. Overview of the agreement in principle for the new Trans-Atlantic Data Privacy Framework.

Cross-Border Privacy Rules

Official Statements
  1. U.S. Department of Commerce, Global Cross-Border Privacy Rules Declaration, April 21, 2022
  2. U.S. Department of Commerce, Statement by Commerce Secretary Raimondo on Establishment of the Global Cross-Border Privacy Rules (CBPR) Forum, April 21, 2022
  3. U.S. Department of Commerce, Global Cross-Border Privacy Rules Declaration FAQ, April 21, 2022
  4. Asia-Pacific Economic Cooperation, APEC Privacy Framework, 2015
  5. U.S. Department of Commerce, Cross Border Privacy Rules System, 2011

Data Free Flow with Trust

Global Efforts
  1. G7 Digital and Technology Ministerial Declaration
  2. Statement from OECD’s Committee on Digital Economy Policy
    • In December 2020, the OECD’s Committee on Digital Economy Policy issued a statement announcing the convening of a drafting group of government representatives and experts, including from law enforcement and national security agencies, to examine the possibility of developing an instrument setting out high-level principles or policy guidance for trusted government access to personal data held by the private sector. Such work would bring together and elaborate a set of common and coherent good practices and legal guarantees from across OECD countries for best reconciling law enforcement and national security needs for data with protection of individual rights.
  3. G20 Osaka Leaders Declaration
    • In June 2019, the leaders of the G20 met in Osaka, Japan and issued a declaration committing to facilitating the free flow of data and strengthening consumer and business trust.
    • On June 30, 2019, the OECD issued a statement supporting the G20 policy priorities at the Osaka Summit.

Articles and Papers

Listed in Reverse Chronological Order
  1. Raffaela Wakeman, Privacy Shield 2.0 —Third Time’s the Charm?, Lawfare (May 19, 2022)
  2. Theodore Christakis, Kenneth Propp and Peter Swire, EU/US Adequacy Negotiations and the Redress Challenge: How to Create an Independent Authority with Effective Remedy Powers, European Law Blog (Feb. 16, 2022)
  3. Theodore Christakis, Kenneth Propp and Peter Swire, EU/US Adequacy Negotiations and the Redress Challenge: Whether a New U.S. Statute is Necessary to Produce an “Essentially Equivalent” Solution, European Law Blog (Jan. 31, 2022)
  4. Gabriela Zanfir-Fortuna, Understanding Why the First Pieces Fell in the Transatlantic Transfers Domino, Future of Privacy Forum (Jan. 27, 2022)
  5. Thorsten Wetzling, Lauren Sarkesian, Charlotte Dietrich, Solving the Transatlantic Data Dilemma, Stiftung Neue Verantwortung (Dec. 15, 2021)
  6. Professor Stephen I. Vladeck, Expert Opinion on the Current State of U.S. Surveillance Law and Authorities, Data Protection Conference (Nov. 15, 2021)
  7. Alex Joel, Francesca Oliveira, Redress: What is the Problem?, European Law Blog (Sept. 28, 2021)
  8. Congressional Research Services (CRS) Report: U.S.-EU Privacy Shield and Transatlantic Data Flows (Sept. 22, 2021)
  9. Sharon Bradford Franklin, Lauren Sarkesian, Ross Schulman, Strengthening Surveillance Safeguards After Schrems II, New American (Apr. 7, 2021)
  10. Alex Joel, Protect Privacy. That’s an Order., Lawfare (Apr. 6, 2021)
  11. Congressional Research Services (CRS) Report: EU Data Transfer Requirements and U.S. Intelligence Laws: Understanding Schrems II and Its Impact on the EU-U.S. Privacy Shield (Mar. 17, 2021)
  12. Peter Margulies, Ira Rubinstein, EU Privacy Law and U.S. Surveillance: Solving the Problem of Transatlantic Data Transfers, Lawfare (Mar. 10, 2021)
  13. Theodore Christakis, Kenneth Propp, How Europe’s Intelligence Services Aim to Avoid the EU’s Highest Court—and What It Means for the United States, Lawfare (Mar. 8, 2021)
  14. Center for Democracy and Technology, Schrems II and the Need for Intelligence Surveillance Reform (Jan. 13, 2021)
  15. Cameron F. Kerry, The Oracle at Luxembourg: The EU Court of Justice Judges the World on Surveillance and Privacy, The Brookings Institution (Jan. 11, 2021)
  16. Peter Swire, Testimony by Peter Swire: U.S. Senate Commerce Committee Hearing “The Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows” (Dec. 9, 2020)
  17. Peter Swire, Appendix 1 to U.S. Senate Commerce Committee Testimony on “The Invalidation of the E.U.-U.S. Privacy Shield and the Future of Transatlantic Data Flows” (Dec. 9, 2020)
  18. Peter Swire, Appendix 2 to U.S. Senate Commerce Committee Testimony on “The Invalidation of the E.U.-U.S. Privacy Shield and the Future of Transatlantic Data Flows” (Dec. 9, 2020)
  19. Joshua P. Meltzer, Why Schrems II Requires US-EU Agreement on Surveillance and Privacy, The Brookings Institution (Dec. 8, 2020) 
  20. Hunton Andrews Kurth, CJEU Restricts Indiscriminate Access to Electronic Communications for National Security Purposes (Oct. 12, 2020)
  21. Christopher Docksey, Schrems II and Individual Redress—Where There’s a Will, There’s a Way, Lawfare (Oct. 12, 2020)
  22. Kenneth Propp, Peter Swire, After Schrems II: A Proposal to Meet the Individual Redress Challenge, Lawfare (Aug. 13, 2020) 
  23. Caitlin Fennessy, The ‘Schrems II’ decision: EU-US Data Transfers in Question, IAPP (July 16, 2020) 
  24. Gary Weingarden, Privacy Across Borders: Enforcement and Prescriptive Jurisdiction, IAPP (Apr. 23, 2019)
  25. European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU Volume II: Field Perspectives and Legal Update (2017)
  26. European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU Volume I: Member States’ Legal Frameworks (2017)
  27. Data Matters, Essentially Equivalent, Sidley Austin LLP (Jan. 2016)
  28. Steven Greer, The Exceptions to Articles 8 to 11 of the European Convention on Human Rights, Council of Europe Publishing (1997)

Tools

Listed in Reverse Chronological Order

Due to the Schrems II decision, companies have had to change their data management practices to comply with the judgment. The following is a list of information on compliance tools that may help countries in their data transfers:

  1. International Association of Privacy Professionals, Transfer Impact Assessment Templates (2021)
  2. United Kingdom’s Information Commissioner’s Office, Draft International Transfer Risk Assessment and Tool (2021)
  3. My Privacy Is None of Your Business, GDPRhub (2021)
  4. The Software Alliance, Principles: Additional Safeguards for SCC Transfers (2020)
  5. European Data Protection Supervisor, International Transfers (2020)