Schrems II

Schrems II was a legal decision handed down by the Court of Justice of the European Union (CJEU) in the case of Data Protection Commission vs. Facebook Ireland Limited. The decision invalidated Privacy Shield—an agreement between the US and EU that had been regulating trans-Atlantic data transfer.

According to the judgment, Facebook’s transfer of personal data from Ireland to the US posed a significant security risk in that, once in the US, the data could potentially be accessed by US intelligence agencies. According to Max Schrems, the plaintiff in this lawsuit, this access would represent a violation of the General Data Protection Regulation (GDPR).

The GDPR requires that any data transferred out of the EU must be protected by reasonable security measures–if that’s not possible, the transfer is prohibited.

Since the Schrems II decision, the US and EU have continued discussions to form an adequate replacement for Privacy Shield, but it’s been difficult to reach consensus. In March 2022, the US and EU announced an ”agreement in principle,” but did not disclose any specifics.

Privacy experts expect this new agreement, unless it makes significant changes to the Privacy Shield model, will likely meet further legal challenges.