Skip to main content
  • About
  • News & Insights
  • Careers
  • International
Call us free on 0808 271 2602
Dialog that contains search functionality
Irwin Mitchell Logo
  • Personal
    • Personal
    • Personal Home
    • Personal Injury Claims
      • Personal Injury Claims
      • Personal Injury Claims Home
      • Abuse Claims
      • Accidents In Public Places Claims
      • Criminal Injury Compensation Claims
      • Accident At Work Claims
      • Air, Rail & Maritime Claims
      • Asbestos & Mesothelioma Claims
      • Changing Solicitors During a Personal Injury Claim
      • Group Claims
      • Holiday Accidents & Illness Claims
      • Illness Compensation Claims
      • Industrial Disease Claims
      • Injury Types
      • Military Injury Compensation Claims
      • No Win No Fee Personal Injury Claims
      • Personal Injury Claims In Scotland
      • How To Claim Compensation For Personal Injury
      • Product Liability Claims
      • Road Traffic Accident Claims
      • Serious Injury Claims
      • Who Can Help?
      • Support Services
    • Medical Negligence Claims
      • Medical Negligence Claims
      • Medical Negligence Claims Home
      • Cancer Misdiagnosis Claims
      • Birth Injury Claims
      • Cauda Equina Syndrome Claims
      • Never Event Claims
      • Ambulance & Paramedic Medical Negligence Claims
      • Cosmetic Surgery Claims
      • Private Healthcare Claims
      • Cerebral Palsy Claims
      • Defective Medical Device Claims
      • Dental Negligence Claims
      • Diabetes Misdiagnosis Claims
      • Fatal Medical Negligence Claims & Inquests
      • GP Negligence Claims
      • Hospital Negligence Claims
      • What Is Medical Negligence?
      • Meningitis Misdiagnosis Claims
      • Failure To Prevent Suicide Claims
      • Misdiagnosis Claims
      • Ophthalmic Negligence Claims
      • Pregnancy & Gynaecology Injury Claims
      • Sepsis Negligence Claims
      • Pharmacy And Medication Negligence Claims
      • Shrewsbury & Telford Hospital NHS Trust Maternity Care Claims
      • Stroke Misdiagnosis Claims
      • Surgery Compensation Claims
    • Counselling
      • Counselling
      • Counselling Home
      • Counselling Myths Dispelled
    • Family Law
      • Family Law
      • Family Law Home
      • Divorce Solicitors
      • Prenuptial & Postnuptial Agreement Solicitors
      • Child Abduction Solicitors
      • Civil Partnership Solicitors
      • LGBT+ Family Law Solicitors
      • Unmarried Couples' Rights
      • Divorce Financial Settlement Solicitors
      • Child Arrangement Orders
      • Family Mediation
      • Out of Court Divorce Solicitors
      • Separation Agreement Solicitors
      • Adoption & Surrogacy Solicitors
    • Wills, Trusts & Estates
      • Wills, Trusts & Estates
      • Wills, Trusts & Estates Home
      • Estate Planning Solicitors
      • Powers Of Attorney
      • Trusts
      • Will Writing Services
      • Will Disputes & Contentious Probate
    • Conveyancing & Property Solicitors
      • Conveyancing & Property Solicitors
      • Conveyancing & Property Solicitors Home
      • Conveyancing Fees Calculator
      • Buying A Property
      • Selling A Property
      • Remortgage
      • Transfer Of Equity
      • Buy To Let
      • Freehold Purchase (Leasehold Enfranchisement) Solicitors
      • Lease Extension Solicitors
      • Conveyancing Guide
      • Residential Property Disputes
    • Tax
      • Tax
      • Tax Home
      • Business Tax
      • Inheritance Tax
      • International Tax
      • Professional Negligence
      • HMRC Tax Investigations
      • Tax Disputes & Litigation
      • Tax Residence
      • Tax Returns & Compliance
      • UK Resident Non-Doms
      • Wealth Structuring
    • Probate
      • Probate
      • Probate Home
      • International Probate
      • Probate Sale Conveyancing
      • What Is Probate & How Does It Work?
    • Will, Trust & Estate Disputes
      • Will, Trust & Estate Disputes
      • Will, Trust & Estate Disputes Home
      • Trust Disputes
      • Inheritance Act Claims
      • Contesting A Will
      • Contentious Probate
      • Pre-Death Agreements
      • Professional Negligence
      • Challenging A Lifetime Gift
      • Financial Abuse
      • Statutory Will Disputes
      • Defending A Contested Will
    • Employment Solicitors
      • Employment Solicitors
      • Employment Solicitors Home
      • Employment Contract Solicitors
      • Employment Disputes
      • Dismissal & Redundancy Solicitors
      • Employment Discrimination Solicitors
      • Employment Lawyers for Legal Expenses Insurance
      • Harassment & Bullying At Work Solicitors
      • Parental & Family Friendly Employment Rights
      • Professional Discipline Solicitors
      • Recruitment & Promotion
      • Senior Executive Employment Lawyers
      • Settlement Agreements
      • Whistleblowing Solicitors
    • Elderly Legal Services
    • Protecting Your Rights
      • Protecting Your Rights
      • Protecting Your Rights Home
      • Actions Against The Police
      • Inquests
      • Environmental & Planning Law
      • Assessment & Treatment Unit Solicitors
      • Data Protection Breach Claims
      • Education Law
      • Healthcare & Social Services
      • Human Rights
      • Judicial Review
      • Mental Capacity
      • Professional Regulation & Discipline
      • Dispute Resolution
      • Legal Aid
    • Immigration Solicitors
      • Immigration Solicitors
      • Immigration Solicitors Home
      • British Citizenship & Naturalisation Solicitors
      • EU & EEA Immigration Solicitors
      • Indefinite Leave To Remain Solicitors
      • Spouse Visa Solicitors
      • Innovator Visa
      • Permanent Residence Solicitors
      • Business Immigration Solicitors
    • Crime & Investigations
      • Crime & Investigations
      • Crime & Investigations Home
      • Crime
      • Fraud & Financial Crime
      • Court Martial Solicitors
      • Motoring Offences Legal Advice
      • Regulatory Investigations & Enforcement
    • Insolvency
      • Insolvency
      • Insolvency Home
      • Business Restructuring & Insolvency
      • Debt Consultancy
      • Insolvency Disputes & Litigation
    • Court Of Protection
      • Court Of Protection
      • Court Of Protection Home
      • Court Of Protection Deputyship
      • Personal Injury Trusts
      • Court Of Protection Problems & Disputes
      • Healthcare and Social Services
      • Court of Protection Frequently Asked Questions
      • Powers Of Attorney Disputes
      • Statutory Wills Solicitors
  • Wealth Management
    • Wealth Management
    • Wealth Management Home
    • Asset Management For Personal Injury
    • Charity & Philanthropy
    • Estate Planning
    • Ethical & Sustainable Investing
    • Financial Planning
    • Intergenerational Wealth Management
    • Investment Management
    • Retirement Financial Planning
    • Family Offices
    • Succession Planning
    • Tax Planning
  • Business
    • Business
    • Business Home
    • Sectors
      • Sectors
      • Sectors Home
      • Agriculture & Rural Business
      • Retail, Leisure & Hospitality
      • Education
      • Financial & Professional Services
      • Landed Estates
      • Manufacturing
      • Real Estate
      • Sport
      • Technology & Communications
    • Banking & Finance
      • Banking & Finance
      • Banking & Finance Home
      • Corporate Banking
      • Leveraged & Acquisition Finance
      • Real Estate Finance
      • Receivables Finance & Asset Based Lending
    • Environmental, Social & Governance
      • Environmental, Social & Governance
      • Environmental, Social & Governance Home
      • Cyber Security
      • Environment
      • Net Zero
      • Social
      • Diversity & Inclusion
      • Governance
      • International
      • ESG Legal Advisory Services
      • Legislation Library
      • Manufacturing Sector
      • Real Estate
      • Retail, Leisure and Hospitality Sector
      • Sports Sector
    • Business Crime
      • Business Crime
      • Business Crime Home
      • Anti-Bribery & Corruption
      • Asset Tracing & Recovery
      • Cartels & Illegal Price Fixing
      • Cybercrime
      • Dawn Raids
      • Deferred Prosecution Agreements
      • Extradition
      • INTERPOL Red Notices
      • Mutual Legal Assistance
      • Private Prosecution
      • Proceeds Of Crime Act
      • Unexplained Wealth Orders
      • Fraud Lawyers
      • Insider Trading & Market Abuse
      • Corporate Internal Investigations
    • Business Immigration
      • Business Immigration
      • Business Immigration Home
      • Business Visitor Visa
      • Global Business Mobility Visas
      • Innovator Visa
      • Prevention Of Illegal Working
      • Skilled Worker Visas
      • Sole Representative Of An Overseas Business
      • UK Visa Sponsor License
    • Commercial
      • Commercial
      • Commercial Home
      • Commercial Contracts
      • Competition Law
      • GDPR & Data Protection
      • Information Technology
      • Sourcing
      • Notary Public Solicitors
    • Commercial Litigation & Dispute Resolution
      • Commercial Litigation & Dispute Resolution
      • Commercial Litigation & Dispute Resolution Home
      • Banking & Finance Litigation
      • Business Interruption Insurance Lawyers
      • Contract Disputes
      • Defamation & Reputation Management
      • International & Cross-Border Disputes
      • Commercial Debt Recovery
      • Litigation Funding
      • Professional Negligence
    • Corporate
      • Corporate
      • Corporate Home
      • Corporate Advisory
      • Equity Capital Markets
      • Mergers & Acquisitions (M&A)
      • Private Equity
      • Search Funds and Entrepreneurship Through Acquisition Lawyers
    • Costs Team
    • Employment Law
      • Employment Law
      • Employment Law Home
      • Business Immigration
      • Employment Contracts, Policies & Procedures
      • Disciplinary & Grievance
      • Employee & Industrial Relations
      • Employment Lawyers for Legal Expenses Insurance
      • Employment Litigation & Resolution Lawyers
      • Equality, Diversity & Discrimination
      • Flexible Working Arrangements
      • Health & Safety
      • HR Advice Service - IMhrplus
      • Managing Sickness Absence
      • Pensions
      • Recruitment
      • Restrictive Covenants
      • Restructuring & Redundancy
      • Self Employment, Contractors & Agency Workers
      • Employment Seminars, Training & Updates
      • TUPE
    • In-House Counsel
    • Intellectual Property and Media
      • Intellectual Property and Media
      • Intellectual Property and Media Home
      • Defamation & Reputation Management
      • Copyright Lawyers
      • Design Rights Lawyers
      • Image Rights Lawyers
      • Online Marketplace Seller Account Or Listing Suspensions
      • Stopping IP Infringement By Sellers On Online Marketplaces
      • Patent Lawyers
      • Trade Mark Lawyers
      • Trade Secrets Lawyers
    • Legal Helpline
    • Licensing
      • Licensing
      • Licensing Home
      • Betting & Gaming Licensing
      • Event Licences
      • Alcohol Licensing
    • Pensions
      • Pensions
      • Pensions Home
      • Employment
      • Managing Death Benefit Trusts
    • Regulatory & Compliance
      • Regulatory & Compliance
      • Regulatory & Compliance Home
      • Road Transport & Operator Compliance
      • GDPR & Data Protection
      • Regulatory Investigations
      • Account Freezing Orders
      • Anti-Money Laundering
      • Companies House Prosecutions
      • Environment & Safety Regulatory Compliance
      • Financial Services Regulation
    • Real Estate
      • Real Estate
      • Real Estate Home
      • Corporate Occupiers
      • Real Estate Development and Regeneration
      • Construction & Engineering
      • Environmental
      • Real Estate Finance
      • Real Estate Investment
      • Later Living & Care
      • Planning
      • Property Litigation & Real Estate Disputes
      • Real Estate Tax
      • Residential Development
      • Strategic Land
      • Structured Real Estate
    • Restructuring & Insolvency
      • Restructuring & Insolvency
      • Restructuring & Insolvency Home
      • Corporate Insolvency
      • Partnership Insolvency
      • Directors' Duties
      • Restructuring Plans
      • Debt Recovery (up to £100,000) – Pricing
      • Restructuring
    • Tax
      • Tax
      • Tax Home
      • Corporate Tax
      • Real Estate Tax
      • Tax Investigations
  • People
    • People
    • People Home
    • Search By Name
    • Search By Location
    • Search By Expertise
    • Business Management
  • Offices
    • Offices
    • Offices Home
    • Birmingham
    • Brighton
    • Bristol
    • Cambridge
    • Cardiff
    • Chichester
    • Edinburgh
    • Gatwick
    • Glasgow
    • Leeds
    • Liverpool
    • London
    • Manchester
    • Middlesbrough
    • Newbury
    • Newcastle
    • North Yorkshire
    • Nottingham
    • Reading
    • Sheffield
    • Southampton
  • Contact
  • About
  • News & Insights
  • Careers
  • International
Irwin Mitchell Logo
Dialog with Irwin Mitchell phone number
Call us on 0808 271 2602

We're here 24/7, 365 days a year.

  • Home
  • Business
  • Regulatory & Compliance
  • GDPR & Data Protection
  • Top 10 takeaways from the Schrems decision

Top 10 takeaways from the Schrems decision

There has been a lot of discussion about whether the recent Schrems decision means that you can no longer export personal data to the US and what hoops you have to jump through to export personal data elsewhere.

We have cut through the complexity to set out below what the decision says and what this means from a practical point of view in 10 bitesize takeaways.

Our data protection lawyers are experienced with all aspects of data export and related regulatory issues. Contact us today for legal advice and support for your business about the Schrems decision and other data protection matters.

  1. What's the background to the Schrems case?
  2. What are the rules around exporting personal data?
  3. What happened in the Schrems case?
  4. Who is affected?
  5. Can we still transfer personal data to the US?
  6. How have the US and European Regulators responded?
  7. How Have Other Countries Been Affected?
  8. Does this mean that it will be difficult to get personal data from the EU into the UK from 1 January?
  9. What can you do?
  10. Where do we go from here?

1. What's The Background To The Schrems Case?

The Schrems case is about the export of personal data from the EEA (the EU plus Liechtenstein, Iceland and Norway) to countries outside the EEA.

Data export has been a contentious issue for a number of years, and was regulated under the old Data Protection Act 1998, which predated GDPR.

At one point, during the discussions around GDPR, there was some talk of relaxing the rules to recognise that the world has become more globalised and large IT suppliers might have locations around the world. The Edward Snowden revelations put paid to that and GDPR regulated data export in a very similar way to under the old law.

Although GDPR preserved the regulation of data export, Privacy campaigners have been unhappy with the protections for individuals and worked for years to get this tightened up.

This came to a head in two cases spearheaded by privacy activist Max Schrems.

In both cases, he argued that the protection for his personal data was inadequate when Facebook exported it to the US.

Back to top

2. What Are The Rules Around Exporting Personal Data?

Organisations can send personal data from countries within the EEA to other countries in the EEA without putting export safeguards. However, stricter controls are in place under data protection laws if they send personal data to a country outside of the EEA. This is to make sure that individuals have the same level of protection and rights over their personal data as if that personal data had remained in the EEA.

When thinking about exporting personal data you need to consider not only actively sending personal data to a country outside the EEA, but also giving someone access to the personal data, even if it stays on your servers, such as an IT provider or outsourced IT support.

If you are planning on exporting personal data to countries outside the EEA then additional safeguards need to be in place. Common ways to export personal data Pre-Schrems included the following:

  1. The EU Commission had reviewed the country in question and found it to provide adequate protection to the personal data exported to it. There are many countries on this list from Uruguay to Jersey and Israel to the Isle of Man
  2. If the personal data was going to the US, the business it was going to was on the privacy shield register run by the US Department of Commerce
  3. Parties to the export had the EU Commission's approved standard contractual clauses (“SCC”) in place
  4. The transfer was intra-group and the group had approved “Binding Corporate Rules” in place between the group companies.

There are also some limited exemptions that organisations could rely on for ad hoc occasional transfers.

Back to top

3. What Happened In The Schrems Case?

In 2015, Max Schrems successfully had Safe Harbor, the precursor to Privacy Shield, declared invalid in his first case against Facebook. He was unhappy with his personal data being sent by Facebook in Ireland to the US on the basis of Safe Harbor as he considered that the security services could access his data and he would have little recourse.

Schrems II continued the complaint against Facebook Ireland around the transfer of his personal data to the US. In Schrems II, the validity of using Privacy Shield and SCCs to transfer personal data to the US was considered by the Court.

On 16 July 2020, the EU Court of Justice (“CJEU”) released their judgment which ruled that:

  1. Privacy Shield was invalid. The Court didn’t feel that the US gave sufficient protection for personal data because of access by the US security services, and the right to get redress for breach of Privacy Shield was also insufficient.
  2. The SCCs remained valid and could be used to export personal data in principle, but due diligence had to be done on the legal system of the country the personal data was being exported to, to show that there are adequate protections for personal data. The controllers of the personal data now need to be comfortable that there is an ‘adequate’ level of protection for the personal data in that country, using the adequacy test in Article 45(2) of the GDPR. 

The Court’s assessment above also applies in the context of Binding Corporate Rules (“BCRs”).

Back to top

4. Who Is Affected?

Any organisation sending personal data outside of the EEA.

While the focus has been on the export of personal data to organisations in the US, the judgment applies to all countries outside of the EEA. Any organisation which exports personal data outside of the EEA should review the transfer mechanisms and see if they meet the new requirements set out in the judgement.

Back to top

5. Can We Still Transfer Personal Data To The US?

While the SCCs are still valid, the same concerns around access by security services and the lack of redress should also apply to the SCCs and any BCRs if you have to do due diligence.

If SCCs and BCRs are under question, then there's doubt over the legitimacy of export to the US unless the ad hoc exemptions apply. Given the $7.1 trillion economic relationship between the EU and the US, there will be pressure on both sides of the Atlantic to limit the negative impact of the judgment and find a solution.

There are ongoing discussions about a new version of Privacy Shield (see below) and there are suggestions that the type of personal data concerned could be looked at to see if that improves the position on the due diligence.

At the moment, however, the position is uncertain. What we can say is that you can't use Privacy Shield but at present SCCs remain valid and organisations need to carry out the risk assessment and be comfortable on a case-by-case that the export on the basis of SCCs is compliant.

Back to top

6. How Have The US And European Regulators Responded?

As expected, there has been a mixed reaction both across Europe and in the US.

A number of regulators across Europe have said that there is no grace period and as of 16 July, the Privacy Shield is invalid, can't be used as a transfer mechanism to safeguard Personal Data, and due diligence under SCCs is necessary.

The Irish Data Protection Commissioner has been outspoken on the matter and has said logically the judgment means that it would be difficult to show that any transfers to the US would meet the requirements of showing that individuals have the same level of protection for their personal data. In August she issued a preliminary order requiring Facebook to suspend transfers to the US about its EU. The Irish High Court considers this to be hasty and on 14 September held that Facebook Ireland could challenge the decision. The next court hearing is scheduled for November.

The UK Information Commissioner’s Office has advised that, for the time being, businesses relying on the EU-US Privacy Shield can continue to do so until new guidance becomes available, but any business not currently relying on the framework should not start now.

On 10 August, the US Department of Commerce and the European Commission released a joint statement to advise that they have started discussions an enhanced Privacy Shield framework to comply with the judgment. They commented that they recognised the vital importance of data protection and the significance of cross-border transfers to individuals and economies.

Since the judgment, the European Data Protection Board has created two task forces: one to prepare recommendations to support controllers and processors regarding their duties and the second to handle and review complaints received by the regulators in the EEA. Guidance on what has to be done to meet the due diligence requirements would certainly be welcome!

While there is no formal grace period, we would hope that data protection authorities delay taking enforcement action until clear guidance is available.

Back to top

7. How Have Other Countries Been Affected?

The US isn't alone in having strict surveillance laws and it remains to be seen how the judgment will affect adequacy decisions and whether data protection authorities highlight any countries whose surveillance regimes mean that SCCs can’t be used as the due diligence requirements cannot be met. At the moment, this is just speculation and what happens in relation to other countries still remains to be seen.

Back to top

8. Does This Mean That It Will Be Difficult To Get Personal Data From The EU Into The UK Fom 1 January?

As of 1 January 2021, the UK won't be in the EU and won't have the benefit of the transitional arrangements. It will therefore be in the same boat as the US in relation to the export of personal data unless a deal is done.

The government has gone on record as saying that it would like to be given an adequacy decision by the EU in the same way as Japan or New Zealand. As adequacy decisions usually take 3 years, this is unlikely to happen before January.

The government’s aspiration was dealt a further blow on 6 October when the CJEU ruled that the ‘mass surveillance’ regime in the UK (as well as France and Belgium) was illegal. It determined that the government cannot indiscriminately retain data, or transfer it to security agencies, for the purpose of combatting crime or safeguarding national security. This gives rise to similar concerns as were raised in relation to the US and could make the transfer of personal data from the EU to the UK very difficult after 1 January.

Back to top

9.What Can You Do?

As a first step, organisations should review their data flows to identify data exports, where data goes, and what safeguards they have used to date. If you rely on Privacy Shield, you'll need to replace it.

Changing to SCCs is the obvious choice if the country the personal data is going to provides adequate protections and can meet the due diligence requirements. If the requirements can’t be met, then you need to look at ad hoc exemptions. If they don’t help, then either the data export must stop or the organisation will have to be comfortable with the level of risk it's taking on by not being able to meet the due diligence requirements.

Back to top

10. Where Do We Go From Here?

It is a case of 'watch this space'. As highlighted above, the European Commission, the US and the EU regulators are all working towards putting in place alternative transfer mechanisms and updating the SCCS to ensure compliance with the GDPR.

However, there's no question that the more an organisation knows about its data flows, the countries it transfers to, and its transfer mechanisms the better.

Back to top


Learn more about how our data protection lawyers can help your organisation stay compliant

Contact us today

To talk about your situation

Prefer not to call?

Use our form

This data will only be used by Irwin Mitchell for processing your query and for no other purpose.

Joanne Bone
Joanne Bone Partner Meet Our Data Protection Team
  • Contact
  • 0370 1500 100
  • Contact Irwin Mitchell
  • Social Media
  • Twitter
  • Facebook
  • YouTube
  • LinkedIn
  • Instagram
  • About Irwin Mitchell
  • About Us
  • Responsible Business
  • Careers
  • Business Management
  • Alumni Programme
  • Pay A Bill
  • Complaints Procedure
  • SRA Regulated
  • Terms & Conditions
  • Accessibility
  • Privacy & Security
  • Hoaxes
  • Modern Slavery Act Statement
  • Manage Cookie Settings

© 2025  Irwin Mitchell LLP

Irwin Mitchell LLP is authorised & regulated by the Solicitors Regulation Authority. Our Regulatory Information

Dialog that contains a form to request a callback.

Request A Callback

Enter your details below and a member of our team will contact you within 24 hours

This data will only be used by Irwin Mitchell for processing your query and for no other purpose.