Logo Logo
Cookiebot

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how your website may use cookies and where in the world it may send personal data to.

Scan your website for free to see if you are sending personal data to non-adequate countries.

Schrems II and Privacy Shield ruling out of CJEU.

Updated September 9, 2020.


Can personal data from the EU be transferred to and stored in the US while guaranteed an adequate level of data protection as that under the GDPR?

This was the central question in the Schrems II case before the CJEU.

Learn about the Schrems II ruling and its consequences for your website here.


Quick summary


Schrems II, Privacy Shield and EU-US data flow

The EU Court of Justice (CJEU) delivered on Thursday July 16, 2020 a ruling in the case known as Schrems II (C-3111/18), in which the mechanisms for personal data transfers between the EU and US was challenged based on the argument that US law cannot adequately ensure protection of EU personal data.

In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.

The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.

Next, the CJEU validated the Standard Contractual Clauses (SCCs), another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.

However, the decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.​

EU Court of Justice official press release on the Schrems II ruling

EDPB FAQ on the Schrems II Privacy Shield case

While awaiting an industry response, especially from Facebook who is directly implicated in the Schrems II ruling by the EU Court of Justice, here is how you can gain full transparency of your website’s data flows, including where in the world personal data from your end-users is sent to.


Where does your website send data to?


Scan your website for free with Cookiebot

Scan your website to get full overview and control of all cookies and tracking in operation on your domain.

Cookiebot’s world-leading scanning technology enables you to map out what kind of data your website processes and where in the world it sends user data to.

Get a free scan report from Cookiebot that shows which countries each cookie on your website sends user data to, and whether the countries are considered an adequate country by the EU

With Cookiebot, you get total transparency into your website’s data flows and full control of third-party cookies, such as Facebook and Google cookies from the US.



Schrems II ruling means extra scrutiny for EU-US personal data transfer.

Cookiebot’s consent banner enabling full GDPR compliance on your website.



Cookiebot’s consent management platform enables true consent for end-users through a cookie banner that automatically groups all trackers into four easy-to-understand cookie categories, which end-users can activate and deactivate in a granular fashion, ensuring valid consent under the GDPR.


Full transparency

Cookiebot’s scanning technology finds all cookies and trackers on your website and maps out exactly what kinds of personal data they process and where in the world they send data to – allowing you to quickly gain full insight into your domain’s compliance level and end-user data protection.


Full compliance

Cookiebot’s consent management platform hands over full control to the end-user, enabling them to give granular consent to each specific data processing purposes, as required under the GDPR to ensure full personal data protection.


Full customizability

Cookiebot is fully customizable, allowing your website to inform its users of your specific cookie and tracking setup and to engage them in honest and transparent dialogue about what data you process, how, for what purpose and where in the world it is sent to.

Scan your website for free to see where in the world user data is sent to

Try Cookiebot free for 30 days... or forever if you have a small website

Learn more with Cookiebot Support’s article on sending personal data to non-adequate countries

Learn more about GDPR and cookie consent

Learn more about CCPA compliance with Cookiebot


What is the Schrems II case about?


Named after Austrian lawyer and data privacy activist Max Schrems of NOYB, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.

The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.

The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.

These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).


Is EU personal data protected adequately after transfer to the US?

The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.

Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.

The Schrems II case challenged the legality of this system, arguing that an EU adequate level of data protection cannot be ensured by Facebook, since US laws (like FISA 702 and EO 12.333) mandates mass surveillance in sharp contrast to EU law (like the GDPR) that mandates strong data privacy.

Schrems’ request to ban Facebook data transfers from the EU to the US made its way through the Irish High Court to the CJEU, referred to the top EU court as eleven questions that all deal with issues around whether and how personal data from EU citizens can be protected in the US, whose legal landscape is fundamentally different.

The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.

Test for free to see if your website sends personal data to non-adequate countries


Swiss-US Privacy Shield also struck down


On September 8, 2020, following an assessment of the CH-US Privacy Shield that ensures data transfers between Switzerland and the US, the Swiss Federal Data Protection and Information Commissioner (FDPIC) struck down the transfer regime as inadequate.

The FDPIC deemed the US to have an inadequate level of data protection and the CH-US Privacy Shield transfer mechanism was invalidated – just as the CJEU has invalidated the EU-US Privacy Shield.

Learn more about the CH-US Privacy Shield decision


FAQ


What is Schrems II

Schrems II is an EU Court of Justice (CJEU) case ruling on the mechanisms that allow personal data flows from the EU to the US. The CJEU struck down the Privacy Shield, a widely-used framework for personal data transfer to the US, and ruled that Standard Contractual Clauses (SCCs) can be used, so long as the data controller, data recipient and data protection authority in the EU member country deem the transfer to be able to ensure an adequate level of data protection.

Scan for free to see where your website sends data to


Does my website send data to the US?

If your website uses cookies and trackers from social media platforms, analytics tools or marketing software run by US companies, it is very likely that they will transfer and store personal data from your end-users to the US.

Scan your website with Cookiebot to gain full transparency


Is my website GDPR compliant?

For your website to be compliant with the General Data Protection Regulation (GDPR), you must ask for and obtain the explicit consent from end-users prior to any collection, processing or sharing of their personal data. If you have Facebook or Google cookies on your website, these are only allowed to be activated after your users have given their consent.

Learn more about GDPR and cookie consent


How can I scan my website for cookies?

Using a consent management platform with world-leading scanning technology enables you to deep-scan your domain to detect and control all cookies and similar tracking technologies. Mapping out your website’s cookie setup gives you instant insight into how your website processes personal data and where in the world it sends this data.

Try Cookiebot free for 30 days... or forever if you have a small website.


Resources


EU Court of Justice (CJEU) official press release in the Schrems II/Privacy Shield case

Schrems II ruling digest by Max Schrems at NOYB

EDPB guidelines on sending data to non-adequate third countries

Learn more about GDPR and cookie consent

Learn more about GDPR compliance for your website

Learn more about EDPB guidelines on valid consent in EU

Try Cookiebot free for 30 days… or forever if you have a small website.

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free