Certified Information Privacy Professional (CIPP): EU - Schrems II and the Future of EU-US Data Transfers, Privacy Shield, DPF

CIPP/E Study Guide – Schrems?II & the Future of EU?US Data Transfers (Privacy?Shield-Data Privacy Framework)

What This Is

Schrems?II (C?311/18) is the 2020 Court of Justice of the EU (CJEU) ruling that the EU?US?Privacy?Shield “adequacy” mechanism was invalid because US surveillance laws do not provide “essentially equivalent” protection to EU data subjects. The decision forces every organization that moves personal data from the EU to the US (or any third?country) to rely on alternative transfer tools (Standard Contractual Clauses, Binding Corporate Rules, or a new EU?US Data Privacy Framework (DPF) once it is fully approved).

Real?world example: A German?based SaaS provider sends customer support tickets containing EU?resident data to its US?based help?desk. After Schrems?II, the provider must verify that the transfer meets the CJEU’s “essential equivalence” test—typically by using SCCs with supplemental “on?the?ground” safeguards (e.g., encryption, US?based monitoring, and a clear escalation path for government requests).

Key Terms & Provisions

• Schrems?II (C?311/18): 2020 CJEU judgment that invalidated the EU?US?Privacy?Shield and required “essential equivalence” for all third?country transfers.
• EU?US Data Privacy Framework (DPF): The successor to Privacy?Shield (proposed 2022, formally adopted 2023) that adds a “Redress & Review Mechanism” and a “US?based Data Protection Review Board.”
• Standard Contractual Clauses (SCCs): Model contracts approved by the European Commission (latest version 2021) that create contractual guarantees of GDPR?level protection for cross?border transfers.
• Binding Corporate Rules (BCRs): Internal codes of conduct approved by EU data?protection authorities that allow multinational groups to transfer data intra?group.
• Adequacy Decision: A Commission determination that a non?EU country offers “essentially equivalent” data?protection standards (e.g., Norway, Switzerland). The DPF seeks a new adequacy decision for the US.
• Supplementary Measures: Technical, contractual, or organisational steps (e.g., encryption, pseudonymisation, on?site monitoring) added to SCCs/BCRs to meet the “essential equivalence” requirement post?Schrems?II.
• US Surveillance Laws (e.g., FISA?Section?702, EO?13873): Statutes that allow US authorities to access foreign data; the CJEU flagged them as incompatible with EU fundamental rights.
• Data Transfer Impact Assessment (DTIA): A risk?assessment (often called a “Transfer Impact Assessment”) required under GDPR Art.?32/45 to evaluate the likelihood of US government access and the effectiveness of safeguards.
• Redress & Review Mechanism (DPF): The DPF’s new independent body that reviews US government requests and offers EU data subjects a complaint route.
• “Essential Equivalence” Test: The CJEU standard that a third?country’s legal framework must provide protection “essentially equivalent” to that guaranteed by the GDPR.

Step?by?Step Process Flow (Applying Schrems?II in Practice)

1. Map the Transfer – Identify every data flow from the EU to the US (e.g., HR payroll, marketing analytics, cloud storage). Document the data categories, purposes, and legal basis.
2. Choose a Transfer Mechanism – Decide whether SCCs, BCRs, or the DPF (once operative) is the most appropriate tool for each flow.
3. Conduct a Transfer Impact Assessment (DTIA) – Evaluate the risk that US authorities could access the data, the effectiveness of existing safeguards, and the need for supplementary measures.
4. Implement Supplementary Measures – Apply encryption, tokenisation, or on?premises monitoring; draft contractual add?ons that require the US recipient to challenge any US request and to notify the EU controller.
5. Document & Review – Keep a record of the SCCs/BCRs, DTIA, and supplementary measures; schedule an annual review (or whenever US law changes).
6. Monitor the DPF Landscape – Track the EU Commission’s adequacy decision for the DPF and update contracts when the new “DPF Clauses” become available.

Common Mistakes

CIPP Exam Insights

1. Schrems?II vs. Schrems?I: The exam often asks you to differentiate the 2015 “Safe Harbour” invalidation (lack of adequate protection) from the 2020 “Privacy?Shield” invalidation (insufficient “essential equivalence”).
2. DPF vs. Privacy?Shield: Expect a question on the new redress mechanism and the US?based Data Protection Review Board—the only substantive change from the old Shield.
3. Supplementary Measures Requirement: Remember that Art.?46(2)(c) GDPR obliges controllers to add measures after a transfer tool is chosen; the exam may present a scenario where only encryption is used and ask if it’s sufficient.
4. Transfer Impact Assessment (DTIA) Scope: The CIPP exam tests whether you know the DTIA must cover legal, technical, and organisational aspects, not just a legal review.

Quick Check Questions

1. Scenario: A French e?commerce site uses a US?based email?marketing platform to send newsletters to EU customers. The contract contains only the 2021 SCCs.
   Question: Is the transfer compliant?
   Answer: No – the SCCs must be supplemented with a DTIA and appropriate technical safeguards (e.g., encryption) to meet the “essential equivalence” test.

2. Scenario: A German biotech firm has an approved BCR for its global group. It wants to send clinical trial data to its US research centre.
   Question: What additional step is required under Schrems?II?
   Answer: Conduct a Transfer Impact Assessment and, if needed, add supplementary measures (e.g., on?site monitoring, encryption) before the transfer.

3. Scenario: A UK?based SaaS provider plans to rely on the new EU?US DPF once the adequacy decision is published.
   Question: Can the provider start transferring data today using the DPF clauses?
   Answer: Yes, the DPF model clauses are already enforceable; however, the provider must wait for the EU Commission’s adequacy decision before claiming “adequacy” as a legal basis.

Last?Minute Cram Sheet (10 One?Liners)

1. Schrems?II (2020) – Privacy?Shield invalid; essential equivalence required for all third?country transfers.
2. SCCs (2021 version) – 10 modules; must be paired with a DTIA and supplementary measures (Art.?46(2)(c) GDPR).
3. DPF (Data Privacy Framework) – Adopted 2023; adds a US Data Protection Review Board and redress mechanism.
4. Adequacy Decision – Only the Commission can issue; the DPF seeks a new adequacy decision for the US.
5. US Surveillance Laws – FISA?Section?702 & EO?13873 are the core CJEU concerns; they are not overridden by contractual clauses.
6. Binding Corporate Rules – Must be approved by EU DPAs; still need a DTIA for each US?bound flow.
7. Supplementary Measures Examples: End?to?end encryption, pseudonymisation, on?site monitoring, US?based legal counsel to challenge requests.
8. Transfer Impact Assessment (DTIA) – Must assess likelihood of US access, effectiveness of safeguards, and remedies for data subjects.
9. Article?45 vs. Article?46: Art.?45 = adequacy decision; Art.?46 = contractual/ BCR mechanisms (requires supplementary measures).
10. Fine Ceiling: GDPR fines up to €20?million or 4?% of global turnover for violations, including illegal international transfers.

Use this guide to audit every EU?US data flow, choose the right transfer tool, and prove compliance with the post?Schrems?II “essential equivalence” standard.