Case Study 17.2: Cornerstone's Schrems II Response — Renegotiating Data Transfers Post-Privacy Shield

Overview

Institution: Cornerstone Financial Group — a fictional composite multi-jurisdictional financial institution. US parent company (Cornerstone Financial Group Inc., Delaware-incorporated, listed on NYSE) with operating subsidiaries in the European Union (Cornerstone Financial Europe B.V., Netherlands; Cornerstone Asset Management GmbH, Germany; Cornerstone Insurance Services S.A., Luxembourg) and the United Kingdom (Cornerstone UK Ltd, FCA authorised).

Principal: Rafael Torres, 45, then VP Compliance Technology at Cornerstone Financial Group Inc. Now independent RegTech consultant. This case study is narrated in retrospect, from his perspective.

Situation: On 16 July 2020, the Court of Justice of the European Union issued its judgment in Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems (C-311/18). By the following morning, Cornerstone's EU-US Privacy Shield data transfer arrangements — relied upon for 14 separate cross-border data flows — were legally invalid.

Period: July 2020 – December 2021 (primary remediation); ongoing monitoring to 2025.

The Day Everything Changed

Rafael Torres remembers exactly where he was when Schrems II landed.

It was Thursday morning, 16 July 2020. He was in his kitchen in London — Meridian Capital, his then-employer, had been operating on a remote basis since March — working through overnight emails before his 8 AM call. The judgment had been published by the CJEU at 09:30 CEST, 08:30 London time. His data protection counsel in Frankfurt, Ingrid Lehmann, texted him within minutes of publication: "Schrems II is out. Privacy Shield is gone. Call me."

He did not have to ask which "Privacy Shield." He knew instantly.

Cornerstone Financial Group — which is a composite, assembled from elements of several real institutions, but captures the structural reality of many US-headquartered multinationals in financial services at that time — relied on Privacy Shield for 14 data transfer relationships between its EU subsidiaries and the US parent. These included:

1. HR data transfers: Employee personal data (EU subsidiaries to US parent) for payroll processing, benefits administration, and performance management — global HR platform hosted in US.
2. Customer data — EU retail: Customer personal and account data (Cornerstone Europe B.V. Netherlands entity) transferred to US-based core banking system for portfolio analytics and risk management.
3. Customer data — EU asset management: Client portfolio data (Cornerstone Asset Management GmbH) transferred to US-based investment management platform.
4. Customer data — Luxembourg insurance: Policyholder data (Cornerstone Insurance Services S.A.) transferred to US actuarial modelling platform.
5. Regulatory reporting consolidation: EU entities' regulatory data transferred to US compliance function for consolidated group regulatory reporting.
6. AML/sanctions screening: EU entities' customer data screened against US-hosted sanctions list platform (FinScan, operated from US servers).
7. Fraud monitoring: EU customer transaction data transferred to US-based fraud analytics platform.
8. Cybersecurity monitoring: Log data and network traffic information transferred to US-based Security Operations Centre.
9. IT service desk: EU staff IT support data transferred to US-based global IT service desk.
10. Backup and disaster recovery: EU customer data replicated to US-based disaster recovery facility.
11. Internal audit: EU entity data accessible by US internal audit function for group audit programme.
12. Legal hold and e-discovery: EU entity data transferred to US-based legal hold platform for US litigation.
13. Customer relationship management: EU customer interaction data transferred to US-based Salesforce instance.
14. Model development and validation: EU customer data used in US-based quantitative team's model development (shared through secure transfer).

Every single one of these was on Privacy Shield. And as of 09:30 CEST on 16 July 2020, every single one was legally invalid.

The Immediate Crisis: Days 1-14

Rafael's call with Ingrid lasted ninety minutes. The judgment was dense — 88 paragraphs of substantive analysis plus the operative provisions. By the end of the call, they had reached several conclusions.

Conclusion 1: Privacy Shield was dead immediately. The CJEU had invalidated the Commission's adequacy decision with no transition period. Unlike the Safe Harbor invalidation in 2015 (which the Article 29 Working Party had initially signalled would be given a short grace period for migration), Schrems II contained no grace period. The European Data Protection Board issued a statement on 23 July 2020 confirming there was no grace period.

Conclusion 2: Standard Contractual Clauses remained valid in principle. The CJEU had not invalidated SCCs as a mechanism — it had held that SCCs were valid provided that data exporters verified, on a case-by-case basis, that the SCCs provided effective protection given the legal framework of the destination country. For transfers to the US, given the CJEU's specific findings about FISA Section 702 and Executive Order 12333, this verification — what would become known as a Transfer Impact Assessment — would need to conclude that the SCCs were insufficient without supplementary measures.

Conclusion 3: Migration to SCCs was the immediate practical solution. BCRs were theoretically preferable for a group of Cornerstone's structure, but BCR approval takes 12-24 months. Cornerstone did not have 12-24 months — it had days. SCCs with supplementary measures were the only path.

Conclusion 4: Not all 14 transfers were equally urgent. Transfers involving the most sensitive personal data — customer financial data, HR data — were the highest priority. Regulatory reporting data and IT service desk data were lower risk.

Rafael spent the first two days convening the Crisis Response Team: himself; Ingrid Lehmann (EU data protection counsel); Cornerstone's DPO, Fatima Al-Rashid; Group General Counsel, Charles Pemberton; and the CTO, Dmitri Volkov. The Group CISO, Maria Costas, joined for the technical safeguards discussions.

They set three parallel workstreams:

Workstream A — Legal: Execute new SCC agreements for all 14 transfers. Ingrid's team would prepare the SCC documentation. Given the June 2021 new SCCs had not yet been adopted (the Commission published them in June 2021), Cornerstone used the existing 2001/2004 SCCs as an interim measure, with a commitment to migrate to the new SCCs once published.

Workstream B — Technical: Identify what technical supplementary measures could be applied to reduce the risk of US government access to transferred data. Maria Costas led this.

Workstream C — Infrastructure: Evaluate which transfers could be eliminated or restructured by keeping data within the EU. Dmitri Volkov led this, working with the cloud infrastructure team.

Workstream A: The SCC Documentation Sprint

Fourteen transfers. Each requiring a full SCC agreement. Each requiring identification of the correct module (controller-to-controller; controller-to-processor; etc.). Each requiring a Transfer Impact Assessment.

The Transfer Impact Assessment was the hardest part. The CJEU had been clear: data exporters must assess whether SCCs are effective given the destination country's legal framework. For US transfers, the specific legal framework issues were:

• FISA Section 702: Authorises the collection of communications of non-US persons reasonably believed to be outside the United States for intelligence purposes. The CJEU found that this provision allowed bulk collection of data without individualised judicial authorisation — a structural incompatibility with EU fundamental rights.
• Executive Order 12333: Authorises collection of foreign intelligence information through interception of communications in transit. Broader than FISA; not subject to any judicial oversight whatsoever.
• Ombudsperson mechanism (Privacy Shield): The CJEU found the Privacy Shield ombudsperson mechanism inadequate because the ombudsperson was part of the executive branch, not an independent body with power to make binding decisions.

The TIA template Ingrid developed for each transfer assessed: (1) the nature of the data being transferred and its sensitivity; (2) the practical risk of US intelligence access to this specific category of data; (3) the contractual safeguards in the SCCs; (4) the technical supplementary measures in place; (5) the conclusion as to residual risk.

For HR data transfers, the TIA concluded that while US surveillance law presented a theoretical risk, the practical likelihood of intelligence agencies accessing EU employee payroll data was low, the data was transferred in encrypted form, and the contractual safeguards were sufficient for this data type. For transfers of customer financial data, the TIA was more cautious: customer financial data was a more attractive target, and additional technical measures were required.

Workstream B: Technical Supplementary Measures

Maria Costas's team spent two weeks mapping what technical controls were actually in place for each of the 14 transfers and what additional controls could be implemented.

The post-Schrems II guidance from the EDPB (finalised in June 2021 as Recommendations 01/2020 on supplementary measures) distinguished between scenarios where supplementary measures could rescue a transfer and scenarios where they could not.

The critical insight was:

• Encrypted data in transit and at rest was necessary but not sufficient. If the US-based cloud provider held the encryption keys, they could be compelled to produce decrypted data under a US court order. FISA Section 702 could require providers to cooperate with government data requests. Encryption with key management by the data exporter or a trusted EU-based key management service was the meaningful control.
• Pseudonymisation could reduce the sensitivity of transferred data where it was technically feasible, but would not help for transfers where the US entity needed to process identifiable data (as in CRM and HR systems).
• Minimisation — transferring only data strictly necessary for the purpose — reduced the attack surface.

For 8 of the 14 transfers, Cornerstone implemented enhanced technical controls: end-to-end encryption with EU-based key management for the most sensitive transfers; pseudonymisation before transfer for analytics and modelling use cases; and enhanced access logging.

For 3 transfers, Maria's team concluded that no technical measure could make them safe while the data remained identifiable and accessible to US-based operators. These transfers were escalated to Workstream C.

Workstream C: Infrastructure Restructuring

Dmitri Volkov's analysis of Cornerstone's cloud infrastructure revealed both good news and bad news.

The good news: Cornerstone was already an AWS customer, and AWS operated the "eu-west" and "eu-central-1" (Frankfurt) regions with full data residency guarantees. Data stored and processed in AWS Frankfurt did not cross EU borders as a matter of technical infrastructure.

The bad news: AWS itself was a US-incorporated company subject to US law. The question that Schrems II raised — and that subsequent EDPB guidance grappled with — was whether US government access to AWS Frankfurt data through legal process served on AWS Inc. in the US constituted a "transfer" of data from the EU to the US.

The EDPB's position, developed in its guidelines on Article 3 scope and in the supplementary measures recommendations, was nuanced: where the cloud provider stores and processes data exclusively in the EU and the transfer of data to the US is merely a theoretical legal risk (US authorities could serve process on AWS's US parent but have not routinely done so for EU-hosted data), this risk may be assessed as low with appropriate contractual, technical, and organisational safeguards. This is not a clean answer — it is a risk assessment.

For the three problematic transfers identified by Workstream B, Dmitri proposed specific solutions:

Transfer 10 (Backup and disaster recovery): Migrate the US-based DR site to AWS Frankfurt with a separate EU-based DR as the primary backup target. US DR site to be decommissioned within 6 months, with only anonymised backup logs retained in the US. Solution: Infrastructure migration. Estimated cost: $340,000 one-time; $85,000 annual ongoing.

Transfer 14 (Model development): Instead of transferring EU customer data to the US quant team, implement a synthetic data generation pipeline. EU data team generates synthetic datasets that preserve statistical properties of the EU customer population without containing identifiable data. US quant team uses synthetic data for model development; models validated against EU data in secure EU environment. Solution: Synthetic data. Estimated cost: $180,000 implementation; $40,000 annual.

Transfer 12 (Legal hold and e-discovery): Most complex case. US litigation required production of EU entity data. Evaluated three options: (a) keep data in EU and serve US legal counsel via secure EU-based access; (b) challenge US discovery orders on privacy grounds; (c) transfer under Article 49 derogation (legal proceedings). Decided on option (a) with a EU-based e-discovery platform (Relativity hosted in EU data centre). Solution: Platform migration. Estimated cost: $220,000 one-time.

The BCR Question

At the four-week mark, Charles Pemberton raised the BCR option formally at a Crisis Response Team meeting.

"We're spending hundreds of thousands of dollars on individual SCCs and infrastructure changes," he said. "BCRs would cover all of this within the group permanently. Why aren't we pursuing BCRs?"

Rafael's answer was pragmatic: "BCRs take twelve to twenty-four months to get approved. We don't have twelve months. We need legal transfers now. We pursue BCRs in parallel as the long-term solution, but they cannot solve the immediate problem."

Cornerstone submitted its BCR application to the Dutch data protection authority (Autoriteit Persoonsgegevens) as lead supervisory authority in November 2020. The application was substantial: a 340-page policy document covering all personal data processing within the Cornerstone group, binding provisions enforceable by data subjects, training obligations, audit mechanisms, and designated privacy contacts in each entity.

The BCR approval process proceeded in parallel with the SCC implementation, with approval ultimately granted in March 2022 — 16 months after submission. From that point, the BCRs replaced SCCs for intragroup transfers, simplifying the transfer governance architecture materially.

Timeline Summary

The EU-US DPF: A New Chapter, Same Plot?

When the EU-US Data Privacy Framework was adopted in July 2023, Rafael — by this point consulting independently — was characteristically measured in his reaction.

"It's better than Privacy Shield," he told a client. "Executive Order 14086 is more specific than its predecessors. The Data Protection Review Court has more formal independence than the Privacy Shield ombudsperson. The necessity and proportionality requirements are more explicit. I'll give it that."

"But?" the client asked.

"But it was designed by the same parties — the US government and the European Commission — who designed Safe Harbor and Privacy Shield. And those two were invalidated. Noyb filed its first complaint within hours of adoption. The structural question — whether the DPRC is sufficiently independent to satisfy the CJEU's requirement for judicial redress — is a real legal question. I don't know how the court will answer it."

His advice to clients on the DPF mirrored what he had lived through in 2020: rely on the DPF as a current lawful mechanism, but do not dismantle your SCC and TIA infrastructure. Keep it current. If the DPF falls — and he was not predicting it would, only acknowledging it could — you want to be able to switch back to SCCs the same day, not spend six months rebuilding the documentation.

Cornerstone's current architecture reflected this prudence: BCRs for intragroup transfers (the most important class); SCCs with TIAs for third-party processors; the DPF as supplementary adequacy mechanism for transfers to DPF-registered US entities; and technical controls (EU-region hosting for the most sensitive data, EU key management for encryption) reducing the practical exposure even where transfers occurred.

Lessons and Analysis

1. Privacy Shield Was Never a Robust Framework

In retrospect, the structural weakness of Privacy Shield was visible before Schrems II. The Privacy Shield ombudsperson — a State Department official with no independent adjudicatory power — did not satisfy any reasonable definition of an independent judicial remedy. The CJEU found in 2020 what privacy lawyers had said in 2016: the framework was politically convenient but legally fragile.

Firms that used Privacy Shield as their primary (or sole) transfer mechanism for significant EU-US data flows were taking legal risk they had underpriced. SCCs should have been maintained in parallel as a backstop — and for firms that had done so, Schrems II was inconvenient rather than catastrophic.

2. Transfer Impact Assessments Require Genuine Substance

The TIA is not a compliance formality. It is a substantive legal and technical analysis that determines whether a specific transfer mechanism actually protects the specific data being transferred. A template TIA completed without real analysis of the destination country's surveillance law and the specific data's sensitivity is worse than useless — it creates a false paper trail without providing real protection.

Cornerstone's TIA process was genuine: it distinguished between transfers where the practical risk was low (HR data, IT service desk logs) and transfers where supplementary technical measures were required (customer financial data). Some transfers required infrastructure restructuring rather than documentation.

3. BCRs Are the Long-Term Solution for Multinationals — But Not a Crisis Tool

Binding Corporate Rules, once approved, are the most elegant solution for intragroup data transfers within a multinational. They provide comprehensive governance, do not require transfer-by-transfer documentation, and bind all entities including future acquisitions (with appropriate amendment). But they take time. For a crisis requiring immediate legal transfers, BCRs are structurally unavailable.

The lesson is to pursue BCRs proactively, not reactively. A multinational financial institution that did not have BCRs in place before Schrems II — which was most of them — should have commenced the BCR process shortly after GDPR became applicable in 2018.

4. Technical and Legal Solutions Must Be Designed Together

The most effective responses to Schrems II were those that combined legal and technical expertise: SCCs signed promptly, but also genuine technical supplementary measures (EU key management, pseudonymisation before transfer, infrastructure migration to EU regions). The technical measures reduced the risk that US government access could materialise even if legal mechanisms were subsequently challenged.

Maria Costas's contribution to the Crisis Response Team — mapping actual technical controls and identifying where they were insufficient — was as important as Ingrid Lehmann's SCC documentation. Compliance professionals who cannot engage with technical architecture are increasingly limited in their ability to provide effective guidance on data transfer compliance.

5. Plan for Instability

The EU-US adequacy landscape has been structurally unstable for decades: Safe Harbor (2000–2015), Privacy Shield (2016–2020), EU-US DPF (2023–present, challenged). The pattern is not obscure. Financial institutions relying on EU-US adequacy mechanisms as a permanent solution for their most critical data flows are making a structural bet that may not be warranted.

The prudent approach — maintained by firms that have learned from 2015 and 2020 — is to treat adequacy mechanisms as convenient where available, but to maintain SCC infrastructure and technical safeguards as the always-on foundation. If the DPF falls, the SCC/TIA machinery is already in place.

Discussion Questions

1. Cornerstone's Crisis Response Team was assembled within 24 hours of the Schrems II judgment. What roles were represented? What role, if any, is missing from the team that you would add?

2. The EDPB's Recommendations 01/2020 on supplementary measures drew a distinction between technical measures that meaningfully protect data (EU-based encryption key management) and measures that provide the appearance of protection but can be overridden by legal process (standard encryption with provider-held keys). What other technical measures might qualify as "meaningfully protective" under this analysis?

3. Cornerstone chose to suspend three of the 14 transfers rather than attempt to maintain them without adequate safeguards. Was this the right decision? What were the business consequences of suspension? Under what circumstances would continued transfer without adequate safeguards be defensible?

4. The BCR approval process took 16 months. If Cornerstone had submitted its BCR application in May 2018 — immediately after GDPR became applicable — would it have had BCRs in place before Schrems II struck in July 2020? What does this suggest about when multinationals should initiate BCR applications?

5. Rafael's advice to clients on the DPF was to maintain SCC and TIA infrastructure in parallel even while relying on the DPF. Is this operationally feasible? What burden does this create? Is it proportionate to the risk?

6. Cornerstone's synthetic data solution for Transfer 14 (model development) eliminated the cross-border transfer entirely by replacing identifiable EU customer data with synthetic equivalents. What are the limitations of synthetic data for this purpose? Under what circumstances might regulators question whether a model developed on synthetic data adequately represents real customer behaviour?