Logo Logo
Cookiebot

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how your website may use cookies and where in the world it may send personal data to.

Scan your website for free to see if you are sending personal data to non-adequate countries.

Schrems II and Privacy Shield ruling out of CJEU.

Updated November 12, 2020.


In July 2020, the European Court of Justice (CJEU) struck down the Privacy Shield that secured unrestricted EU-US data flow on the grounds that personal data transferred to and stored in the US could not be guaranteed an adequate level of data protection as that under the GDPR.

In this blogpost, we guide you through the Schrems II ruling, the European Data Protection Board’s (EDPB) recommendations for assessing and securing data transfers outside of the EU, and the consequences for your website.

Use Cookiebot’s powerful scanner to see where in the world your website sends data to.


Quick summary


Schrems II, Privacy Shield and EU-US data flow

The EU Court of Justice (CJEU) delivered on Thursday July 16, 2020 a ruling in the case known as Schrems II (C-3111/18), in which the mechanisms for personal data transfers between the EU and the US were challenged based on the argument that US law cannot adequately ensure protection of EU personal data.

In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.

The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.

Next, the CJEU validated the Standard Contractual Clauses (SCCs), another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.

However, the decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.​

EU Court of Justice official press release on the Schrems II ruling

EDPB FAQ on the Schrems II Privacy Shield case

Use Cookiebot to see where in the world you send data


EDPB recommendations for data transfers outside EU


On November 10, 2020, the European Data Protection Board (EDPB) adopted recommendations for how to transfer data outside of the EU in a step-by-step guide for companies and organizations, delivering clarity to the industry confusion that has existed since the Privacy Shield was struck down earlier in 2020.

The EDPB recommendations help website owners and operators navigate the legal ocean of sending data outside of the EU to non-adequate countries, such as the US, while making sure that the data remains protected.

The EDPB also released a second document – EU Essential Guarantees – that can be used as support for website owners and operators, when assessing whether data transfers to a country is secure or not.

EDPB’s recommendations on supplementary measures (PDF)

EU essential guarantees (PDF)

In the following section, we run through the EDPB recommendations for safe data transfers outside EU, with a particular focus on the consequences for your website’s use of cookies and processing of personal data from your end-users.

N.B. keep in mind that websites can send data in other ways than through cookies and trackers.


Step 1 – where do you send data to?

You need to know where in the world your website sends end-user personal data to – this is step one.

This is key to everything else, because if you find out that your website is sending personal data from users to e.g. the US, additional steps need to be taken to ensure compliance.

Mapping out your website’s data flow can be a very difficult task but using Cookiebot’s powerful website scanner will automatically detect all cookies and trackers on your site and give you a detailed report on where in the world your website sends data to.

Scan your website for free to see where in the world you send data to


Step 2 – how do you send data?

Once you have an overview of where in the world your website sends personal data to, step two in the EDPB recommendations is to make sure that you use the right transfer mechanism.

If your website sends personal data to countries with an EU adequacy agreement (e.g. Japan), you don’t need to take any further steps regarding these data transfers.

But if your website is also sending personal data to countries without an EU adequacy agreement (e.g. United States), you need to make sure that your website uses one of the transfer tools listed in Article 46 of the GDPR.

And remember, you always need the consent of your end-users before collecting or processing any personal data – also if you don’t send it to countries outside EU.

Scan your website for free to see what cookies track personal data from users


Step 3 – will data be protected after you send it?

Evaluating whether a country has laws or privacy practices in place that can guarantee an equivalent level of data protection for your website’s users and their personal data is step three in the EDPB recommendations guide.

This step might seem a bit tricky – perhaps you’re not very familiar with US privacy law?

Here is where the EDPB’s EU Essential Guarantees can help you determine a country’s level of data protection.

The EU Essential Guarantees can help you get an overview of how to do such an evaluation on the countries your website sends data to, such as looking for whether –

Scan your website to see where in the world you send data to


Step 4 – adopting additional data transfer protections

If you discover that your website sends personal data from end-users to e.g. the US, which is not recognized as having an adequate level of data protection, step four of the EDPB recommendations maps out how you can ensure additional security around your data transfers so that they meet EU standards of equivalence.

These supplementary measures in the EDPB recommendations include –

These supplementary measures are found in Annex 2 of the EDPB recommendations (PDF)


Step 5 & 6 – document and reassess

In step five and step six of the EDPB recommendation guide, you are encouraged to document your data transfer practices and how you ensure adequate protection for your website’s end-users.

You are also encouraged to reevaluate your data transfer practices at appropriate intervals to make sure that you’re always up to date on the latest developments in the countries you send personal data to.

Scan your website to see where in the world you send data to


Where does your website send data to?


Scan your website for free with Cookiebot

Scan your website to get full overview and control of all cookies and tracking in operation on your domain.

Cookiebot’s world-leading scanning technology enables you to map out what kind of data your website processes and where in the world it sends user data to.

Get a free scan report from Cookiebot that shows which countries each cookie on your website sends user data to, and whether the countries are considered an adequate country by the EU

With Cookiebot, you get total transparency into your website’s data flows and full control of third-party cookies, such as Facebook and Google cookies from the US.



Schrems II ruling means extra scrutiny for EU-US personal data transfer.

Cookiebot’s consent banner enabling full GDPR compliance on your website.



Cookiebot’s consent management platform enables true consent for end-users through a cookie banner that automatically groups all trackers into four easy-to-understand cookie categories, which end-users can activate and deactivate in a granular fashion, ensuring valid consent under the GDPR.


Full transparency

Cookiebot’s scanning technology finds all cookies and trackers on your website and maps out exactly what kinds of personal data they process and where in the world they send data to – allowing you to quickly gain full insight into your domain’s compliance level and end-user data protection.


Full compliance

Cookiebot’s consent management platform hands over full control to the end-user, enabling them to give granular consent to each specific data processing purposes, as required under the GDPR to ensure full personal data protection.


Full customizability

Cookiebot is fully customizable, allowing your website to inform its users of your specific cookie and tracking setup and to engage them in honest and transparent dialogue about what data you process, how, for what purpose and where in the world it is sent to.

Scan your website for free to see where in the world user data is sent to

Try Cookiebot free for 30 days... or forever if you have a small website

Learn more with Cookiebot Support’s article on sending personal data to non-adequate countries

Learn more about GDPR and cookie consent

Learn more about CCPA compliance with Cookiebot


What is the Schrems II case about?


Named after Austrian lawyer and data privacy activist Max Schrems of NOYB, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.

The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.

The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.

These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).


Is EU personal data protected adequately after transfer to the US?

The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.

Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.

The Schrems II case challenged the legality of this system, arguing that an EU adequate level of data protection cannot be ensured by Facebook, since US laws (like FISA 702 and EO 12.333) mandates mass surveillance in sharp contrast to EU law (like the GDPR) that mandates strong data privacy.

Schrems’ request to ban Facebook data transfers from the EU to the US made its way through the Irish High Court to the CJEU, referred to the top EU court as eleven questions that all deal with issues around whether and how personal data from EU citizens can be protected in the US, whose legal landscape is fundamentally different.

The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.

Test for free to see if your website sends personal data to non-adequate countries


Swiss-US Privacy Shield also struck down


On September 8, 2020, following an assessment of the CH-US Privacy Shield that ensures data transfers between Switzerland and the US, the Swiss Federal Data Protection and Information Commissioner (FDPIC) struck down the transfer regime as inadequate.

The FDPIC deemed the US to have an inadequate level of data protection and the CH-US Privacy Shield transfer mechanism was invalidated – just as the CJEU has invalidated the EU-US Privacy Shield.

Learn more about the CH-US Privacy Shield decision


FAQ


What is Schrems II

Schrems II is an EU Court of Justice (CJEU) case ruling on the mechanisms that allow personal data flows from the EU to the US. The CJEU struck down the Privacy Shield, a widely-used framework for personal data transfer to the US, and ruled that Standard Contractual Clauses (SCCs) can be used, so long as the data controller, data recipient and data protection authority in the EU member country deem the transfer to be able to ensure an adequate level of data protection.

Scan for free to see where your website sends data to


Does my website send data to the US?

If your website uses cookies and trackers from social media platforms, analytics tools or marketing software run by US companies, it is very likely that they will transfer and store personal data from your end-users to the US.

Scan your website with Cookiebot to gain full transparency


Is my website GDPR compliant?

For your website to be compliant with the General Data Protection Regulation (GDPR), you must ask for and obtain the explicit consent from end-users prior to any collection, processing or sharing of their personal data. If you have Facebook or Google cookies on your website, these are only allowed to be activated after your users have given their consent.

Learn more about GDPR and cookie consent


How can I scan my website for cookies?

Using a consent management platform with world-leading scanning technology enables you to deep-scan your domain to detect and control all cookies and similar tracking technologies. Mapping out your website’s cookie setup gives you instant insight into how your website processes personal data and where in the world it sends this data.

Try Cookiebot free for 30 days... or forever if you have a small website.


Resources


EU Court of Justice (CJEU) official press release in the Schrems II/Privacy Shield case

EDPB recommendations for data transfers outside EU (PDF)

EDPB essential guarantees (PDF)

Schrems II ruling digest by Max Schrems at NOYB

EDPB guidelines on sending data to non-adequate third countries

Learn more about GDPR and cookie consent

Learn more about GDPR compliance for your website

Learn more about EDPB guidelines on valid consent in EU

Try Cookiebot free for 30 days… or forever if you have a small website.

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free