• Skip to primary navigation
  • Skip to main content
  • Skip to footer
The Evolution of ESG RegulationThe Evolution of ESG RegulationThe Evolution of ESG Regulation

CUBE global

  • Products
        • RegPlatform product overviewOur enterprise product, providing regulatory intelligence for large, global financial institutions looking to tackle complex compliance.
        • RegAssure product overviewOur highly intuitive, seamless compliance product, that grows with your small or medium sized business.
        • CUBE's technology
  • Solutions
        • PrivacyGlobal governance for data privacy regulations, the world over
        • RecordsHolistic oversight of ever-growing regulations for records
        • CybersecurityAutomated workflows for up to date, relevant data on cyber
        • Technology riskEffective policies and controls to mitigate technology risk
        • Financial crime and AMLWatertight audit trails to show risk-based rationale
        • View all solutions
  • Resources
        • Resource hubLifting the lid on financial services, compliance, and regulation
        • Read

        • Case Studies
        • Blog posts
        • Reports
        • RegNews
        • Brochures
        • Find

        • Compliance Corner
        • Compliance Confessions
        • ESG Conference
        • CUBE’s regulation game
        • Listen

        • Videos
        • Webinars
        • Podcasts
  • Partners
        • Advisory and consulting partnersEnhance your regulatory compliance offering with the entire suite of CUBE regulatory data.
        • Integration partnersCompliance is complex enough without over-complicated integration procedures.
        • Technology partnersAdd value to existing customer applications with a unified window into regulatory intelligence.
        • Partners overview
  • About us
        • About usThe story of who we are, how we got here and why we’re exceptionally proud of what we do
        • TeamThe visionaries and leaders powering CUBE’s success
        • NewsThe latest news from CUBE
        • CareersOur movement to transform regulatory data into regulatory intelligence
        • ContactWant to know more? Get in touch
  • Request a demo
Customer login
Home » Resources » An overview of Schrems II

Estimated reading time: 3 minutes

An overview of Schrems II


Schrems II is the short name for a European court ruling in July 2020. 

Privacy Shield was the name for an informal agreement between the EU and US so that companies could transfer personal information between the two locations while complying with data privacy laws. But the court invalidated the Privacy Shield, meaning that data processors and controllers can no longer use it.

Background: Schrems I

Before we look at Schrems II, it’s important to get some background from Schrems I. These are the preceding events that began in 2011 with the Austrian activist and lawyer, Max Schrems. 

At the time, he found that Facebook was exporting his data from their European headquarters in Ireland to their US office. They were able to do this under the Safe Harbour Principles, but this allowed organisations to self-certify their compliance. It also meant that the data that Facebook was transferring could be accessed by US intelligence agencies, which violated privacy. Moreover, the rumour at the time was that Facebook was working with the state under a mass surveillance program. 

Since this was before GDPR, Schrems filed a complaint under EU Data Privacy. In 2015, the court ruled that Safe Harbour was invalid, but that some parts of the process such as standard contractual clauses (SCCs), were still valid. 

As such, a new agreement was drawn to implement SCCs, known as Privacy Shield. 

Privacy Shield did not solve the problem: Schrems II

Privacy Shield was implemented in August 2016, but Schrems found the same issue. Due to a direct conflict with US laws, the European Commission didn’t have the power to protect data from US intelligence agencies. 

The law allows agents to investigate EU citizens (including all transferred data) on the basis of national security. This meant that Privacy Shield was inadequate to protect data properly, and the gap in protection violated GDPR. 

Even though more than 5,000 companies relied on Privacy Shield to comply with data transfer regulations, it was ruled inadequate in July 2020. This meant that companies were to stop using the process immediately. 

Impact on regulated institutions

The Schrems II ruling had a huge impact on data transfer between the EU and US. Private companies were immediately told to stop using Privacy Shield principles, which means that EU companies now need to assess every individual data transfer to ensure their compliance.

A new EU-US data-sharing framework has been proposed and approved in the US, but not yet introduced. Until it is implemented, it’s up to firms to prudentially manage data transfers. 

Thinking about security by design (rather than as an afterthought), companies may need to encrypt their data to ensure compliance with the regulations. Alternatively, businesses might need to review their vendors and consider non-US-based alternatives to reduce supplier risk.  

Moreover, private companies could switch to an alternative safeguard method. For example, using codes of conduct or other forms of data protection. Since there’s no global standard for data protection, it’s important to review your processing records and the laws of every country you interact with. 

Compliance is key

The unique factor with Schrems II is the pace at which Privacy Shield (and Safe Harbour) was dumped after their inadequacy rulings. In many other regulatory cases, companies have a grace period to implement new regimes over many months. However, Schrems II led to the immediate stopping of Privacy Shield. 

This all happened in 2020, and although the new EU-US data-sharing framework has been approved by the Biden administration, it’s not yet implemented. To prepare your organisation for the new framework, choose to implement regulatory intelligence software with horizon-scanning technology. 

CUBE’s Automated Regulatory Intelligence (ARI), RegPlatform combines enterprise-wide compliance mechanisms with workflow management, helping you to actually implement the changes, too. 


For help with implementing Schrems II, get in touch with CUBE today.

Speak to the team

Related resources
View all articles
A man in a suit leaning on a large percentage sign.
Compliance Corner

What is STIFC?

Lightbulbs overlap to represent RegTech findings
Compliance Corner

Fintech vs Regtech: what is the difference?

Image shows a hand at a cash machine, typing in their pin.
Compliance Corner

What is the Bank Secrecy Act?

Learn all about global cybersecurity regulations
Compliance Corner

What global cyber and cybersecurity regulations are there?


Want CUBE updates and latest industry news sent straight to your inbox?

Footer

Add CUBE logo here

  • Products
    • Partners
    • Solutions
  • Resource hub
    • Blogs
    • Reports
    • Brochures
    • Compliance Corner
    • Webinars
    • Podcasts
    • Videos
  • Behind CUBE
    • About us
    • Meet the team
    • Careers
    • News
    • Contact us
  • The legal bits
    • Privacy policy
    • Cookie policy
    • Terms of use
    • Accessibility
Follow us:
  • LinkedIn
  • Twitter
  • YouTube

© 2023 CUBE Content Governance Global Limited

  • English
  • US

envelope

Want CUBE updates and latest industry news sent straight to your inbox?

Sign up to our Newsletter here