Case Study: Schrems II and Its Aftermath

"You cannot have fundamental rights when the NSA is looking through the window." — Max Schrems, privacy activist

Overview

On July 16, 2020, the Court of Justice of the European Union issued a decision that shook the global data economy. In Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (Case C-311/18) — known universally as "Schrems II" — the court invalidated the EU-US Privacy Shield framework and imposed new obligations on organizations using Standard Contractual Clauses for transatlantic data transfers. The decision affected virtually every organization that transferred personal data from the EU to the United States — an estimated 5,000+ companies certified under Privacy Shield and hundreds of thousands more relying on SCCs.

This case study traces the full arc of the Schrems saga — from a 25-year-old Austrian law student's first complaint to the decision that reshaped transatlantic data governance — and examines the ongoing consequences.

Skills Applied: - Tracing the development of legal doctrine through sequential court decisions - Analyzing the interaction between surveillance law and data protection law - Evaluating the practical consequences of judicial decisions on business operations - Assessing the stability of the current EU-US data transfer framework

The Protagonist: Max Schrems

Max Schrems was a 23-year-old Austrian law student when he filed his first complaint with the Irish Data Protection Commissioner in 2011. The complaint was simple: Facebook Ireland transferred his personal data to Facebook's US servers, where it was accessible to US surveillance programs. This transfer, Schrems argued, violated his fundamental rights under EU law because US law did not provide adequate protection against government surveillance.

The complaint was remarkable not for its legal novelty but for its persistence. Schrems navigated over a decade of litigation through national authorities, national courts, and the CJEU — twice — fundamentally changing the legal framework for transatlantic data flows in the process.

Schrems later founded noyb (None of Your Business), a digital rights organization that has become one of Europe's most active privacy enforcement bodies, filing hundreds of complaints and strategic cases across the EU.

Act I: Safe Harbor and Schrems I (2000-2015)

The Safe Harbor Framework

From 2000 to 2015, the primary mechanism for EU-US data transfers was the US-EU Safe Harbor agreement. Under Safe Harbor, US companies could self-certify that they adhered to seven data protection principles broadly aligned with EU requirements. The European Commission had issued an adequacy decision recognizing Safe Harbor as providing adequate protection — enabling free data flows to certified US companies.

Safe Harbor was popular: over 4,000 companies certified. But it was also weak. Self-certification meant there was no verification that companies actually implemented the principles. Enforcement by the FTC was rare. And, most critically, Safe Harbor did not address government access to data.

The Snowden Revelations

In June 2013, Edward Snowden leaked documents revealing the scale of US government surveillance programs, including PRISM — a program through which the NSA collected data directly from the servers of major technology companies, including Facebook, Google, Apple, and Microsoft. The revelations demonstrated that US surveillance was not targeted but mass in nature, affecting millions of people worldwide, including EU citizens.

For Schrems, the Snowden revelations provided the evidence his complaint needed. If the NSA was collecting data from Facebook's US servers on a mass basis, then transferring EU citizens' data to those servers could not provide adequate protection.

The CJEU Decision: Schrems I (October 2015)

The Irish High Court referred Schrems's case to the CJEU, which issued its decision on October 6, 2015. The court:

1. Invalidated the Safe Harbor adequacy decision. The Commission's 2000 finding that US protection was adequate was declared invalid. The court held that the Commission had not adequately assessed US law and that Safe Harbor's self-certification mechanism was insufficient.
2. Established the "essential equivalence" standard. The third country need not provide identical protection to the EU, but protection must be "essentially equivalent" — a high bar that required assessment of the country's legislation, international commitments, and actual surveillance practices.
3. Affirmed the role of national DPAs. National data protection authorities could not be bound by a Commission adequacy decision if they had reason to believe the third country did not provide adequate protection. They retained independent authority to investigate and, if necessary, suspend transfers.

Safe Harbor was gone. Over 4,000 companies lost their legal basis for transatlantic data transfers overnight.

Act II: Privacy Shield and Schrems II (2016-2020)

The Privacy Shield

In response to the Schrems I decision, the EU and the US negotiated a replacement framework: the EU-US Privacy Shield, adopted in 2016. Privacy Shield attempted to address the court's concerns with several enhancements:

• Stronger privacy principles and more robust self-certification requirements
• A written commitment from the US government (via the Office of the Director of National Intelligence) that US signals intelligence collection would be "as tailored as feasible" — stopping short of proportionality but promising restraint
• An Ombudsperson mechanism within the State Department to handle EU citizens' complaints about US surveillance

Over 5,000 companies certified under Privacy Shield. But critics — including Schrems and the European Data Protection Board — identified fundamental weaknesses: the Ombudsperson was not independent from the executive branch, the US government's commitments were contained in administrative letters rather than binding legislation, and the "as tailored as feasible" standard fell short of the EU's necessity and proportionality requirements.

Schrems immediately challenged Privacy Shield, filing a new complaint against Facebook Ireland in 2015 that was expanded to encompass the new framework.

The CJEU Decision: Schrems II (July 2020)

On July 16, 2020, the CJEU issued its landmark decision in Schrems II:

1. Privacy Shield invalidated. The court held that Privacy Shield did not provide adequate protection. The Ombudsperson mechanism was not sufficiently independent. The US government's commitments did not meet the proportionality standard required by EU fundamental rights law. And US surveillance legislation — particularly Section 702 of FISA and Executive Order 12333 — authorized surveillance that went beyond what was "strictly necessary" in a democratic society.

2. SCCs conditionally upheld. The court held that Standard Contractual Clauses remained valid in principle — but imposed a critical new obligation. Organizations using SCCs must conduct a case-by-case assessment of whether the destination country's legal framework provides "essentially equivalent" protection. If the assessment reveals inadequate protection, supplementary measures (technical, contractual, or organizational) must be implemented. If no supplementary measures can compensate, the transfer must be suspended.

3. DPA enforcement obligation affirmed. Data protection authorities were obligated to suspend transfers that they determined did not comply — they could not simply defer to the Commission's adequacy determinations or to companies' self-assessments.

The Aftermath: Uncertainty and Adaptation

The Compliance Crisis

Schrems II created immediate practical chaos. Virtually every organization transferring data from the EU to the US — from multinational corporations to small businesses using US-based cloud services — needed to:

• Assess whether their transfer mechanism (now limited to SCCs, BCRs, or derogations) was valid
• Conduct a transfer impact assessment evaluating US surveillance law
• Implement supplementary measures if the assessment revealed inadequate protection
• Document everything for potential DPA inspection

The EDPB issued guidance on supplementary measures in 2020, identifying technical measures (end-to-end encryption where the data importer cannot access the key), contractual measures (commitments to challenge government access requests), and organizational measures (internal policies and governance). But the guidance also acknowledged that for some types of processing — particularly where the US data importer needs access to data in the clear — no supplementary measure could compensate for the inadequacy of US law.

This created an impossible situation for many organizations. If you were a European company using a US cloud provider for email (which requires the provider to access data in the clear), no supplementary measure could prevent the US government from compelling the provider to produce that data under FISA Section 702.

Business Response

Organizations responded in several ways:

• Large multinationals invested in European data processing infrastructure, establishing EU-based servers and routing European data through EU systems.
• Cloud providers expanded EU data residency options. Microsoft launched "EU Data Boundary" guarantees. AWS established its "European Sovereign Cloud." Google offered EU-specific data processing commitments.
• Many organizations continued transferring data on SCCs with transfer impact assessments of varying rigor — hoping that enforcement would not target them.
• Some organizations adopted a "risk-based" approach, balancing the legal risk of continued transfers against the operational disruption of suspending them.

The Road to the Data Privacy Framework

The political pressure created by Schrems II drove renewed EU-US negotiations. In March 2022, Presidents Biden and von der Leyen announced an agreement in principle for a new framework. In October 2022, President Biden signed Executive Order 14086, implementing US reforms including:

• A requirement that US signals intelligence be "necessary and proportionate" (adopting the EU's standard, at least in language)
• A new Data Protection Review Court (DPRC) to hear complaints from EU citizens about US surveillance — replacing the inadequate Ombudsperson

The European Commission adopted its adequacy decision for the EU-US Data Privacy Framework in July 2023, enabling data transfers to DPF-certified US companies.

The Schrems III Question

The Data Privacy Framework faces the same fundamental vulnerability as its predecessors: US surveillance law has not changed. FISA Section 702 and Executive Order 12333 — the provisions the CJEU found problematic — remain in force. The reforms are contained in an executive order that a future president could modify or revoke.

Noyb filed a challenge to the DPF promptly after its adoption. The organization argues that Executive Order 14086 does not meet the essential equivalence standard — that the DPRC is not a "court" in the EU sense (its members are appointed by the Attorney General, not the judiciary), and that the "necessary and proportionate" standard in the executive order is not enforceable in the same way as the EU's constitutional standard.

Whether the CJEU will invalidate a third framework — creating what is already being called "Schrems III" — remains one of the most consequential open questions in data governance.

Discussion Questions

1. Max Schrems was a law student when he filed his first complaint. His persistence over a decade produced decisions that affected millions of organizations and billions of people. What does this tell us about the role of individual activism in data governance? Can structural change depend on individual actors, or are other forces (regulatory agencies, market pressure, civil society organizations) more sustainable drivers of change?

2. The Schrems decisions prioritize fundamental rights over practical convenience. Evaluate this prioritization: Is the CJEU correct to insist on "essential equivalence" even when doing so disrupts existing data flows affecting millions of organizations? Or should practical considerations — the cost of compliance, the difficulty of restructuring global data infrastructure — carry more weight?

3. The EU-US Data Privacy Framework rests on an executive order rather than legislation. Assess the stability of this foundation. What would happen if a future US administration revoked or weakened EO 14086?

4. The Schrems saga reveals a fundamental tension: the internet is borderless, but sovereignty is territorial. Can this tension be permanently resolved, or is the cycle of framework-invalidation-negotiation-framework the inevitable result?

Your Turn: Mini-Project

Option A: Read the CJEU's Schrems II judgment (available online). Identify the three most important legal principles the court established and write a one-page analysis of each, including its practical implications.

Option B: Research how one specific company (e.g., Meta, Google, Microsoft, or a smaller organization) responded to the Schrems II decision. Write a 1,000-word case study of that company's compliance journey.

Option C: Draft a transfer impact assessment for a hypothetical EU company that uses a US-based email provider. Evaluate whether the transfer can be made compliant and, if so, what supplementary measures would be required.

References

• Court of Justice of the European Union. Maximillian Schrems v. Data Protection Commissioner. Case C-362/14. October 6, 2015.

• Court of Justice of the European Union. Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems. Case C-311/18. July 16, 2020.

• European Data Protection Board. "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data." November 2020.

• Executive Office of the President. "Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities." EO 14086. October 7, 2022.

• Noyb. "DPF Complaint Filed: EU-US Data Transfers Under Challenge Again." Press release, 2023.

• Schwartz, Paul M. "The EU-US Privacy Collision: A Turn to Institutions and Procedures." Harvard Law Review 126, no. 7 (2013): 1966–2009.