No more data to the USA?


Maybe you have heard about the last judicial decision C-311/18 named “Schrems II” of the European Court (EuGH) on July 16, 2020. What are the consequences of this decision and what does “Schrems II” mean? This article would like to give a short summary to people, who are not experts and not familiar with this special topic of the GDPR and who are transferring data to the USA as a controller.


“Schrems II” is derived from the Austrian solicitor “Max Schrems”. He is a lawyer, author and data protection activist. He demanded to prove if the Privacy Shield treaty is in consensus with European law. The Privacy Shield treaty was an arrangement between the EU and USA. American companies can confirm that they act under the conditions of the Privacy Shield and warrant, that data, which is processed by these companies, is handled in a manner as is claimed secure as under the GDPR.

But there is the fact, that American authorities have rights by law, to access these data and that American companies are not able to protect these data in accordance with the GDPR.

The European Court (EuGH) decided now, that the Privacy Shield is not in accordance with the GDPR and is not legal. The appropriate safeguard clauses for the transfer of personal data to third countries are still legal. But what are the consequences of this court decision?

Consequences of the court decision

In general, the Privacy Shield is not legal, and it is not allowed to transfer data to the USA corresponding to this treaty.

Using the appropriate safeguard clauses is also not sufficient in any case. The reason is, that the appropriate safeguard clauses do not bind government authorities and it is not guaranteed, that there is no access by these authorities.

The data transfer is only allowed, when it is ensured, that the access by authorities happens in accordance with the rules of GDPR. It is necessary, that access of authorities happens under the law and the access is reasonable. Furthermore, the data subject must have the right to have an adequate legal remedy against this access.

The EuGH adjudged, that level of protection is not sufficient. The rights of the US intelligence service are to extensive and not in accordance with the European law. Additionally, the data subjects have no legal protection against the access to their personal data.

What to do?

For this reason, it is in most cases not enough only to use appropriate safeguard clauses. In general, it is not allowed to transfer data to the USA in any case.

The first action point is, to make an inventory of all data, which is transferred to the USA or third countries. It is important to check, what kind of data is transferred and in which countries. Then it is important to think about, whether an appropriate data protection level, contractual guaranties (for example to appropriate safeguards) or derogations for specific situations exist.

It is recommended for data exporters to contact every data receiver, explain the circumstances, to ask to which extent authorities have access to the transferred data and if the data receiver is obliged to allow access to data for authorities by any law. This concerns also sub-contractors.

Maybe it will be necessary, to use ciphering methods (American authorities have no access to the key) or pseudonymized data methods.