Accordingly, national Data Protection Authorities (DPAs) remained competent to assess whether the United States ensures an adequate level of protection. After the Court’s ruling, Schrems reformulated his complaint and argued that US law requires US companies to provide the transferred personal data of EU citizens to various authorities, including the NSA and the FBI, through two surveillance programmes. He submitted that such programmes are not in line with Articles 7 (the right to private and family life), 8 (the right to data protection) and 43 (the right to an Ombudsman) EU Charter. Therefore, the SCC Decision, which includes the standard contractual clauses in an Annex, cannot uphold the transfer and, as a result, the transfer should be prohibited. The case was brought to the Irish court, which referred the case to the Court. In the meantime, the European Commission adopted another Adequacy Decision, the EU-US Privacy Shield.

In Schrems II, the Court – yet again – invalidated the EU-US Privacy Shield, which encompasses more than 5000 US companies. The Court’s reasoning was twofold. Firstly, the US legislation in question provided a blanket rule, which allowed the establishment of surveillance programmes without any restrictions or safeguards for the ones whose personal data is monitored. Secondly, EU citizens cannot enforce their rights against the US authorities. The Court recognized that the Privacy Shield Ombudsman was created to solve the problems surrounding judicial protection. Nonetheless, the Court concluded that this was not sufficient, seeing that no particular safeguards to the Ombudsman’s independence was set in place and the decision made are not legally binding on US authorities. As a direct result of the invalidation, the participating US businesses need to reconsider how they comply with EU data protection laws. Fortunately, the affected US companies can use other GDPR mechanisms to prove adherence to EU data protection standards, such as the upheld SCC Decision and – in certain cases – Binding Corporate Rules.

The Court, however, did not stop there. While it upheld the SSC Decision, the Court confirmed that EU controllers or processors and national DPAs are required to suspend or prohibit the transfer of personal data to third countries, if a case-by-cases analysis shows that the third country does not maintain EU data protection standards. While this finding is remarkable considering the European Commission adopted the SSC Decision, the Court held that it is not binding upon authorities from third countries. Consequently, from this perspective, it is not more than logical to allow EU enterprises to ensure the third country maintains the desired level of protection. The Court even provided some – though practically difficult to implement – guidance by mentioning that the assessment should be based on the standard contractual clauses and the relevant law of the third country enabling authority’s access to transferred personal data. Nonetheless, this ruling demonstrates the willingness of the Court to protect the right of data protection of EU citizens in times where technological development may undermine this fundamental right. Looking at the Court’s track record in the field of data protection, this is no surprise. In its case law, the Court has always strived to afford a high standard of protection of personal data. However, the Court did not allow EU controllers or processors and national DPAs to prohibit transfers of personal data to third countries when the European Commission adopted an Adequacy Decision. The only possibility to invalidate an Adequacy Decision is through a preliminary reference procedure. While such procedure would take ample time (the preliminary proceedings alone of Schrems I and II lasted 15 and 26 months, respectively), during which transfers of personal data continues, the Court’s reasoning is as expected. After all, a different ruling would go counter to the supremacy of EU law.

While the Schrems II case concerned the US, it is obvious that this ruling will not only affect companies in the US, but business all over the world. This ruling shows – once more – the length the Court is willing to go to protect our personal data. Nevertheless, a few practical issues arise. Firstly, since the Court already invalidated two Adequacy Decisions, it has become a demanding task to facilitate both EU data protection standards with those of third countries when negotiating an Adequacy Decision. Secondly, this ruling shifts the burden from the European Commission to EU companies. Thus, EU businesses need to be adept to examine whether third country legislation provide the equivalent EU data protection standards. In line with the foregoing, this brings to mind multiple questions, including to what extent does the scope of this responsibility reach, what are the consequences if one EU business concludes that the third country ensures an adequate level of protection, while another EU enterprise reaches the opposite conclusion? Now we await the next steps of the European Commission to not only adopt a new Adequacy Decision, but – hopefully – also to provide guidelines to EU controllers and processors on how to assess whether a third country provides a level of protection equivalent to EU standards.