Schrems I and Schrems II Rulings

Schrems I & Schrems II Rulings: A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

The Schrems I and Schrems II rulings are landmark decisions by the Court of Justice of the European Union (CJEU) that fundamentally reshaped the landscape of international data transfers from the EU. Named after Austrian privacy activist Maximilian Schrems, these cases struck down two major EU-US data transfer frameworks and established critical principles about the level of protection that must accompany personal data when it leaves the European Economic Area (EEA). For anyone studying for the CIPP/E exam, a thorough understanding of these rulings is essential, as they form the backbone of modern cross-border data transfer compliance under European data protection law.

Why Are the Schrems Rulings Important?

The Schrems rulings are important for several interconnected reasons:

1. They Established the Primacy of Fundamental Rights in Data Transfers
Both rulings affirmed that the right to privacy and the right to data protection, enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights, cannot be undermined simply because personal data crosses international borders. The CJEU made clear that the level of protection guaranteed by EU law must travel with the data.

2. They Invalidated Major Transfer Mechanisms
Schrems I invalidated the Safe Harbor framework (2015), and Schrems II invalidated the EU-US Privacy Shield (2020). These were the primary mechanisms used by thousands of organizations to legitimize transatlantic data flows. Their invalidation caused massive disruption and forced organizations worldwide to reassess their data transfer strategies.

3. They Raised the Bar for All Transfer Mechanisms
Beyond invalidating specific frameworks, Schrems II placed additional obligations on organizations using Standard Contractual Clauses (SCCs) and other transfer tools under Article 46 GDPR. Organizations must now conduct Transfer Impact Assessments (TIAs) and implement supplementary measures where necessary.

4. They Highlighted the Tension Between National Security Surveillance and Privacy
Both rulings centered on the concern that US surveillance programs (particularly under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333) allowed mass, indiscriminate access to personal data of EU residents without adequate safeguards or effective judicial redress.

5. They Influenced Global Data Protection Standards
The principles established in these rulings have influenced data protection frameworks and adequacy assessments worldwide, not just in the EU-US context.

---

What Is the Schrems I Ruling?

Full Name: Maximillian Schrems v Data Protection Commissioner (Case C-362/14, 6 October 2015)

Background:
Maximilian Schrems, an Austrian law student and privacy activist, filed a complaint with the Irish Data Protection Commissioner (DPC) in 2013. His complaint concerned the transfer of his personal data by Facebook Ireland to Facebook Inc.'s servers in the United States. Schrems argued that, in light of the revelations by Edward Snowden about the NSA's PRISM surveillance program, the US did not provide an adequate level of protection for personal data transferred from the EU.

At the time, transatlantic data transfers were primarily legitimized by the Safe Harbor Decision (Commission Decision 2000/520/EC), a framework adopted by the European Commission in 2000 that allowed US companies to self-certify their adherence to certain data protection principles.

The Irish DPC initially rejected Schrems' complaint, arguing that the Safe Harbor Decision was binding and that it was not within the DPC's power to investigate the matter. Schrems challenged this decision before the Irish High Court, which referred key questions to the CJEU.

Key Questions Before the CJEU:
- Whether an EU Member State's data protection authority is bound by the Commission's adequacy decision (Safe Harbor) when examining a complaint about data transfers
- Whether the Safe Harbor Decision was valid

The CJEU's Decision:

The CJEU invalidated the Safe Harbor Decision on several grounds:

1. Safe Harbor Did Not Provide Adequate Protection: The Court found that the Safe Harbor framework allowed US public authorities to access personal data transferred from the EU on a generalized basis, without meaningful limitations, safeguards, or oversight. This was incompatible with Articles 7 (respect for private life) and 8 (protection of personal data) of the EU Charter of Fundamental Rights.

2. National Security Override: The Safe Harbor Decision contained a blanket exception allowing US national security, public interest, or law enforcement requirements to override the Safe Harbor principles. The Court found this exception was too broad and not limited to what was strictly necessary.

3. No Effective Judicial Redress: EU data subjects had no meaningful avenue to challenge US government surveillance or seek judicial remedies in the US.

4. Powers of National Supervisory Authorities: The CJEU held that national data protection authorities (DPAs) are not absolutely bound by a Commission adequacy decision. DPAs must be able to examine, with complete independence, complaints alleging that a third country does not ensure an adequate level of protection. If a DPA considers the complaint well-founded, it must be able to bring the matter before a national court, which may then refer the issue to the CJEU for a validity assessment.

5. The Commission's Assessment Must Be Robust: The Court established that when the Commission assesses the adequacy of a third country's data protection, it must find that the country provides a level of protection essentially equivalent to that guaranteed within the EU. This does not require identical protection but requires a substantively comparable standard.

Impact of Schrems I:
- Immediate invalidation of Safe Harbor, affecting approximately 4,500 companies relying on it
- Increased reliance on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) for transatlantic transfers
- Led to negotiations between the EU and US that resulted in the EU-US Privacy Shield framework (adopted in 2016)
- Strengthened the role and independence of national supervisory authorities

---

What Is the Schrems II Ruling?

Full Name: Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, 16 July 2020)

Background:
After Safe Harbor was invalidated, Schrems reformulated his complaint to the Irish DPC. He argued that Facebook Ireland's transfers to Facebook Inc. in the US, now relying on Standard Contractual Clauses (SCCs) adopted by the Commission (Decision 2010/87/EU), should be suspended or prohibited because US law did not provide adequate safeguards against government surveillance. The Irish DPC referred the matter to the Irish High Court, which in turn referred eleven questions to the CJEU. Separately, the validity of the EU-US Privacy Shield (Commission Implementing Decision 2016/1250) was also challenged.

Key Issues Before the CJEU:
- Whether the GDPR applies to data transfers based on SCCs
- Whether Commission Decision 2010/87/EU on SCCs was valid
- Whether the EU-US Privacy Shield was valid
- What obligations data exporters and supervisory authorities have when using SCCs

The CJEU's Decision:

1. Invalidation of the EU-US Privacy Shield:
The Court struck down the Privacy Shield for reasons substantially similar to those in Schrems I:
- US surveillance programs (particularly under Section 702 FISA and EO 12333) still permitted bulk collection of data that was not limited to what was strictly necessary and proportionate
- The Ombudsperson mechanism created under the Privacy Shield did not provide EU data subjects with effective judicial redress equivalent to what is required under EU law. The Ombudsperson was not sufficiently independent from the executive branch and lacked power to make binding decisions on intelligence agencies
- The Privacy Shield still allowed US national security requirements to override privacy protections without adequate safeguards

2. SCCs Remain Valid — But With Conditions:
The Court upheld the validity of the SCC Decision (2010/87/EU), but with crucial caveats:
- SCCs are contractual in nature and bind only the parties to the contract, not third-country government authorities. Therefore, SCCs alone may not be sufficient to ensure adequate protection in all circumstances
- Data exporters have an obligation to verify, on a case-by-case basis, whether the law and practice of the third country provides a level of protection essentially equivalent to that guaranteed in the EU. This assessment must take into account the specific circumstances of the transfer, the contractual clauses, and the legal framework of the importing country
- If the laws of the importing country impinge upon the effectiveness of the SCCs (e.g., by allowing government access to transferred data without adequate safeguards), the data exporter must implement supplementary measures to bridge any gaps in protection
- If supplementary measures cannot ensure essentially equivalent protection, the data exporter must suspend or end the transfer

3. Role of Supervisory Authorities:
The Court confirmed that supervisory authorities are required to suspend or prohibit a transfer if they determine that the SCCs or other safeguards cannot be complied with in the third country and that the protection of the data cannot be ensured by other means.

4. Application of the EU Charter of Fundamental Rights:
The Court reaffirmed that any limitation on the exercise of fundamental rights must respect the essence of those rights and must be proportionate and necessary in a democratic society. US surveillance laws were found not to meet these standards.

Impact of Schrems II:
- Invalidation of the Privacy Shield, affecting over 5,300 self-certified companies
- Creation of the obligation to conduct Transfer Impact Assessments (TIAs) before transferring data to third countries
- The European Data Protection Board (EDPB) issued Recommendations 01/2020 (later updated as Recommendations 01/2020, adopted 18 June 2021) providing guidance on supplementary measures and a step-by-step roadmap for assessing third-country transfers
- Increased use of encryption, pseudonymization, and other technical supplementary measures
- Led to negotiations for a new transatlantic framework, ultimately resulting in the EU-US Data Privacy Framework (DPF), adopted via Commission adequacy decision on 10 July 2023
- Prompted the US to issue Executive Order 14086 (October 2022) establishing new safeguards for US signals intelligence activities and creating a Data Protection Review Court (DPRC) to address EU individuals' complaints

---

How Do the Schrems Rulings Work in Practice?

Understanding the practical implications of the Schrems rulings is critical for the CIPP/E exam:

Step 1: Know Your Transfer Mechanism
Organizations must identify the legal basis for their international data transfers under Chapter V of the GDPR (Articles 44-49). Common mechanisms include:
- Adequacy decisions (Article 45)
- Standard Contractual Clauses (Article 46(2)(c))
- Binding Corporate Rules (Article 46(2)(b))
- Derogations for specific situations (Article 49)

Step 2: Conduct a Transfer Impact Assessment (TIA)
Following Schrems II, when relying on SCCs (or BCRs), the data exporter must assess:
- The laws and practices of the third country, particularly regarding government access to data
- Whether those laws respect the essence of EU fundamental rights
- Whether appropriate safeguards exist, including effective legal remedies for data subjects
- The specific circumstances of the transfer (nature of data, purposes, entities involved, onward transfers)

Step 3: Implement Supplementary Measures If Needed
If the TIA reveals gaps, the exporter must adopt supplementary measures, which can be:
- Technical measures: Encryption (where the exporter retains the keys), pseudonymization, split or multi-party processing
- Contractual measures: Additional contractual commitments (e.g., obligations to challenge government access requests, transparency obligations)
- Organizational measures: Internal policies, governance structures, and compliance programs

Step 4: Suspend or Cease Transfers If Protection Cannot Be Ensured
If no supplementary measures can bridge the gap, the organization must stop transferring data.

Step 5: Document and Monitor
Organizations must document their assessments and keep them under review, particularly in light of changes to third-country laws or enforcement practices.

---

Key Legal Provisions to Know

- Articles 7 and 8 of the EU Charter of Fundamental Rights – Right to respect for private life and right to protection of personal data
- Article 47 of the EU Charter – Right to an effective remedy and a fair trial
- Articles 44-49 GDPR – Rules on international transfers of personal data
- Article 45 GDPR – Adequacy decisions
- Article 46 GDPR – Appropriate safeguards (including SCCs and BCRs)
- Article 49 GDPR – Derogations for specific situations
- Recital 104 GDPR – Third country must ensure an essentially equivalent level of protection
- Section 702 FISA – US Foreign Intelligence Surveillance Act provision permitting surveillance of non-US persons located outside the US
- Executive Order 12333 – US executive order governing signals intelligence activities
- Executive Order 14086 – Post-Schrems II US executive order introducing proportionality requirements and the DPRC

---

Comparing Schrems I and Schrems II: Key Differences and Similarities

Similarities:
- Both were brought by Maximilian Schrems
- Both concerned transfers of personal data from Facebook Ireland to Facebook Inc. in the US
- Both invalidated EU-US transfer frameworks due to US surveillance practices
- Both emphasized the need for essentially equivalent protection
- Both raised concerns about the lack of effective judicial redress for EU data subjects in the US
- Both affirmed the role and independence of supervisory authorities

Differences:
- Schrems I invalidated Safe Harbor; Schrems II invalidated the Privacy Shield
- Schrems I was decided under the Data Protection Directive 95/46/EC; Schrems II was decided under the GDPR
- Schrems II went further by addressing the validity and practical use of SCCs, imposing additional obligations on data exporters
- Schrems II introduced the concept of supplementary measures and Transfer Impact Assessments
- Schrems II provided more detailed guidance on the role of supervisory authorities in suspending or prohibiting transfers

---

The EU-US Data Privacy Framework (DPF) — The Aftermath

In response to Schrems II, the EU and US negotiated a new framework:
- The US issued Executive Order 14086 (7 October 2022), introducing proportionality and necessity requirements for US signals intelligence and establishing the Data Protection Review Court (DPRC)
- The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework on 10 July 2023
- The DPF allows certified US organizations to receive personal data from the EU without additional transfer mechanisms
- However, the DPF faces ongoing scrutiny. Maximilian Schrems and noyb (his organization) have indicated they may challenge this framework, potentially leading to a Schrems III case
- The Commission must periodically review the adequacy decision, with the first review having taken place in 2024

For the CIPP/E exam, it is important to know that the DPF exists and its relationship to the Schrems rulings, but focus primarily on the principles established by Schrems I and Schrems II, as these remain the foundational legal standards.

---

Exam Tips: Answering Questions on Schrems I and Schrems II Rulings

1. Know the Chronology
Exam questions may test your understanding of the timeline. Remember:
- Safe Harbor (2000) → Schrems I invalidates Safe Harbor (October 2015) → Privacy Shield (July 2016) → Schrems II invalidates Privacy Shield (July 2020) → EU-US DPF (July 2023)

2. Distinguish Between the Two Rulings
Be prepared for questions that ask you to identify which ruling did what. Key distinguishing points:
- Schrems I = Safe Harbor invalidated, DPA independence affirmed
- Schrems II = Privacy Shield invalidated, SCCs upheld with conditions, supplementary measures required

3. Understand the 'Essentially Equivalent' Standard
This is a frequently tested concept. The CJEU requires that third countries provide a level of protection essentially equivalent to that in the EU — not identical, but substantively comparable. Be precise with this language in your answers.

4. Focus on the Reasons for Invalidation
Both frameworks were struck down for similar reasons: mass surveillance, lack of proportionality, inadequate judicial redress. If a question asks why Safe Harbor or Privacy Shield was invalidated, these are your key points.

5. Know the Obligations on Data Exporters Post-Schrems II
Questions may ask about practical steps organizations must take. Remember the TIA obligation, the duty to implement supplementary measures, and the duty to suspend transfers if protection cannot be ensured.

6. Understand the Role of Supervisory Authorities
Both rulings addressed the powers of DPAs. Schrems I clarified that DPAs are not absolutely bound by adequacy decisions and must be able to investigate complaints independently. Schrems II confirmed that DPAs must suspend or prohibit transfers where SCCs cannot be complied with.

7. Be Familiar with EDPB Recommendations 01/2020
These recommendations provide the six-step roadmap for assessing and conducting transfers. Key steps include: mapping transfers, identifying the transfer tool, assessing third-country law, identifying and adopting supplementary measures, procedural steps, and re-evaluation at appropriate intervals.

8. Watch for Distractor Answers
Common incorrect options in multiple-choice questions may include:
- That Schrems I was decided under the GDPR (it was under the Data Protection Directive)
- That SCCs were invalidated in Schrems II (they were upheld, but with conditions)
- That the Privacy Shield was invalidated in Schrems I (it was Safe Harbor)
- That data importers (rather than exporters) bear the primary obligation to assess third-country laws (while importers must assist, the primary obligation falls on the exporter)

9. Know the Charter Rights at Stake
Articles 7 (private life), 8 (data protection), and 47 (effective remedy) of the EU Charter are central to both rulings. If asked about the legal basis for the invalidation, reference these provisions.

10. Use Precise Terminology
In written or scenario-based questions, use the correct terms: essentially equivalent, supplementary measures, Transfer Impact Assessment, effective judicial redress, proportionality, necessity. This demonstrates mastery of the subject matter.

11. Practice Scenario-Based Application
The exam may present a scenario where an organization is transferring data to the US or another third country. Apply the Schrems II framework: Is there an adequacy decision? If using SCCs, has a TIA been conducted? Are supplementary measures in place? Can protection be ensured? If not, the transfer must be suspended.

12. Remember Key Case Details
- Complainant: Maximilian Schrems
- Respondent/Target: Facebook Ireland (data exporter) and Facebook Inc. (data importer)
- Referring Court: Irish High Court
- Deciding Court: CJEU (Court of Justice of the European Union)
- National DPA involved: Irish Data Protection Commissioner
- US laws of concern: Section 702 FISA, Executive Order 12333, PPD-28

13. Anticipate Questions on the EU-US Data Privacy Framework
While the DPF postdates the rulings, exam questions may ask about the current state of EU-US transfers. Know that the DPF is the successor to Privacy Shield, that it relies on EO 14086 and the DPRC, and that it may face future legal challenge.

14. Connect to Broader GDPR Principles
The Schrems rulings do not exist in isolation. Connect them to broader GDPR concepts: accountability (Article 5(2)), lawfulness of processing, the territorial scope of the GDPR (Article 3), and the principle that data protection rights should not be circumvented by transferring data abroad.


Summary

The Schrems I and Schrems II rulings are cornerstones of European data protection law that every CIPP/E candidate must understand thoroughly. They establish that personal data leaving the EU must continue to benefit from essentially equivalent protection, that adequacy decisions and transfer mechanisms are subject to judicial scrutiny, that data exporters bear active obligations to assess and safeguard transfers, and that supervisory authorities must have the power to intervene when protection fails. Mastering these rulings — their facts, legal reasoning, practical implications, and connection to the broader GDPR framework — will prepare you to confidently answer any exam question on this critical topic.