Skip to content
Schrems II judgement – what does it mean for privacy and personal data in the UK and US?

News -

Schrems II judgement – what does it mean for privacy and personal data in the UK and US?

By Lydia Lavender, managing consultant at NCC Group

In the latest news concerning how the personal data of people in the EU is transferred to the United States, the European Court of Justice has ruled that the protections afforded by the EU-US Privacy Shield are not adequate.

On 16th July, this much anticipated judgement, in what is known widely as Schrems II, also ruled that the use of Standard Contractual Clauses (SCC) remain valid. However, the decisions now have the privacy world in a spin, trying to work out what they need to do to make their international transfers comply with the GDPR.

With a lot of legal jargon and complicated documents being issued, we have simplified the case and decision to help you to understand the changes.


The story started when Austrian citizen Maximillian Schrems raised a complaint regarding the security of his data with the Irish Data Protection Commissioner against Facebook, Ireland for transferring and processing his personal data outside of the EU to Facebook US.

There have been various investigations and decisions by the court around Safe Harbour, SCC and Privacy Shield leading to the current decision by the Court of Justice. 

What happened?

The Court determined that: 

  • the GDPR will apply to the transfer of data to any third country;
  • that protection must be in place at least equivalent to the GDPR;
  • that supervisory authorities must suspend or prohibit transfers where it is believed adequate security is not in place;
  • that the SCC decision is valid and therefore SSCs are also still valid; and
  • that the Privacy Shield Decision is invalid because the security of the data in the US is not equivalent to that required by the GDPR as the processing of data is not limited to only that which is necessary due to the US legal system allowing full access to all data stored.

So, what does this mean?

Where personal data is being sent to the US from the EU for processing, you can no longer rely on Privacy Shield. Going forward, you will need to be clear on the controls in place within the US entity, along with the contractual agreements that have been agreed.

What can you do to prepare?

While there is still speculation around the impact of this decision, there are a number of acceptable mechanisms still in place to allow the transfer of personal data outside of the EU.

There are a few simple steps that you can take today to put you in a strong position when the outcome of this decision is fully understood:

  1. Review your data flow maps to understand if and where data is sent outside of the EU.
  2. Review third party agreements and contracts to ensure adequate wording is used regarding the security of personal data transfers. 
  3. Where SCCs are used, the level of protection in the third country must be reviewed initially.
  4. DPAs (Data Processing Agreements) must focus on the transfer of data, and as such must be reviewed.
  5. Conduct due diligence reviews on any third party to whom you transfer data to ensure adequate security is implemented to meet GDPR requirements.

We will keep you updated as things develop so do stop back again soon for more information and advice, or get in touch with our team to find out more.



Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom