Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



One Year After Europe’s Schrems II Decision, Privacy Activist Bemoans Lack of Progress

Little will happen until and unless the European Data Protection Authorities begin to enforce Schrems II

Little will happen until and unless the European Data Protection Authorities begin to enforce Schrems II

One year after the so-called Schrems II decision was made by the European Court of Justice (CJEU), little has changed. Because of Schrems II, EU-U.S. data transfers are illegal, but they are continuing as if nothing has happened. Participants should note, however, that privacy activist Max Schrems is watching; and he is not known for giving up where he has the law on his side.

In a statement published Jul 16, 2021 on the My Privacy is None of Your Business (NOYB) website, Schrems bemoans the lack of progress. “Over the last year, it seems that the relevant stakeholders have mainly engaged in deflection and finger pointing, each passing on responsibility to the next.”

The basic problem is that business-essential data transfers are caught between a rock and hard place: EU law on the one hand, and U.S. surveillance on the other. Neither side currently seems willing to shift, but they are mutually exclusive. One solution could be for the companies concerned to host European data on servers within Europe, but only ‘a fraction’ have moved towards doing so.

Schrems II is the outcome of the European Court’s ruling over a case involving Ireland’s Data Protection Commissioner, Facebook, and Max Schrems. This invalidated the EU-U.S. Privacy Shield (which had replaced the earlier Safe Harbor mechanism which had itself been invalidated largely through the actions of Schrems).

But Schrems II also casts doubt on the validity of Standard Contractual Clauses (SCCs) as used by Facebook and others. Schrems argued that the transfer of Facebook data to its headquarters in the U.S. would make European personal data available to the surveillance of U.S. intelligence agencies. This, claimed Schrems, would be in violation of GDPR and EU law in general. The court agreed. 

Technically, SCCs are still valid but with provisions. Ultimately, the U.S. party would need to guarantee the data against U.S. intelligence agency surveillance – but since this is not possible, the SCC fails.

It is a difficult problem to solve – so difficult that Schrems believes the primary route taken by both sides is to ignore the issue, claim it is unrealistic, and concoct “increasingly crude legal theories”. These range, says Schrems, “from the existence of a ‘risk-based approach’ (which is not present in the relevant part of the GDPR) to the suggestion of non-functional ‘supplementary measures’ (like having fences around data centers).”

Companies are saying that the regulations are too complex to implement, while, says Schrems, “The European Commission is muddying the waters by issuing new transfer tools, like ‘Standard Contractual Clauses’, that carefully bypass a clear say on EU-US transfers and allow industry lawyers to keep spinning new compliance theories and avoid long-term solutions.“ The European Data Protection Authorities are adopting a wait and watch position, while the U.S. authorities regularly announce ‘progress’ in negotiations with little or no appetite to change the root problem of U.S. intelligence agency surveillance.

Schrems seems to be on safe ground with his opinions. Recommendations issued by the European Data Protection Board (EDPB) on June 18, 2021 state, “The CJEU held that Section 702 of the U.S. FISA does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary. This means that the level of protection of the programs authorized by Section 702 FISA is not essentially equivalent to the safeguards required under EU law.”

For any company that feels its data transfer may fall within the scope of Section 702 FISA, the EDPB’s first recommendation is, “To stop the transfer.” 

Nothing much is likely to happen until and unless the European Data Protection Authorities begin to enforce Schrems II. This is unlikely to happen in the immediate future.

But Schrems has proven himself to be an essentially reasonable, but patient and persistent privacy activist. “In my personal view,” he says, “a long-term solution can only be some form of ‘no spy’ agreement among democratic nations that protects users’ human right to privacy independent of location and citizenship. We may not get there within a matter of months, but potentially within a decade, as a global internet needs global protections to function as users and companies wish for it to.”

Related: Austria’s Max Schrems: US High-tech Giants’ Worst Nightmare?

Related: EU Court Deals Blow to ‘Invalid’ US Data Sharing Deal

Related: Top Court Scraps EU-US Data Pact in New Blow to Brussels

Related: Ireland Rejects Facebook Bid to Block Regulatory Data Probe

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.