How will the Schrems II decision impact your privacy program?

November 23, 2020

Orange gradient

The Schrems II Decision is a key ruling by the Court of Justice of the European Union (CJEU), in July 2020 they declared that Privacy Shield, the EU-US personal data transfer mechanism, was no longer lawful. This decision will have significant impacts on EU-US data transfers, and many organizations will need to update their programs to rely on alternative transfer mechanisms. 

In compliance with the GDPR, when transferring personal data from an EU country to a country that does not have a confirmed adequacy status for their level of personal data protection (known as a third country), you must employ a transfer mechanism that demonstrates protection to the equivalent. This is what makes the data transfer legal. 

The Schrems II decision specifically looked at Privacy Shield and Standard Contractual Clauses (SCCs). While Privacy Shield has been invalidated, SCCs still remain a valid, legal mechanism for data transfers, although they must now be taken on a case-by-case basis. 

Is it safe to rely on SCCs?

In short, yes, SCCs are still a valid data transfer mechanism. However, they must be considered on a case-by-case basis, the data exporter and the importer have to take into account whether an adequate standard of protection can be provided in the third-party country the data is being transferred to. It is also the responsibility of the importer to inform the exporter if they are unable to meet the terms of the SCC. 

Will the Schrems II decision impact your privacy program?

The Schrems II Decision will have a direct impact on your organization if relying on Privacy Shield or SCCs for data transfers. After the July ruling, there was no grace period given before Privacy Shield was invalidated, so organizations are required to pivot their affected transfers to rely on valid mechanisms. 

Based on regulatory guidance and deep privacy research, OneTrust’s privacy, security, and data governance solutions are optimized to support organizations as they assess and adapt their programs. 

How can OneTrust be leveraged to operationalize the Schrems II decision?

OneTrust’s Schrems II Solutions support organizations operationalize a range of functions, including: 

Data Mapping Automation: Map discovered data, identify, assess and document transfer mechanisms, and link to vendors 

Third-Party Risk Management: Assess vendors who rely on SCCs, manage on-boarding and off-boarding, alongside other contract updates 

Third-Party Risk Exchange: Leverage pre-completed vendor assessments and chasing services  

DataGuidance Research: Stay up to date with the latest Schrems II guidance and compare adequacy decisions around other third countries 

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more


Third-Party Risk

TPRM privacy compliance: 10 best practices when working with third parties

How can you build a privacy-focused TPRM program? In this webinar, we discuss best practices for privacy compliance when working with third parties, from onboarding to offboarding.

June 28, 2023

Learn more