‘Schrems II’ Judgment C-311/18: Application of Charter Rights to Data Protection and Effective Remedy Beyond EU Borders – A state of Play and a Critical Reflection Two Years Later

In its Schrems II judgment, the Grand Chamber of the Court ruled that the United States law and practices, notably bulk-interception programmes, were not providing a level of protection of personal data essentially equivalent to the protection conferred by the EU Charter of Fundamental Rights and, therefore, invalidated the Privacy Shield for violating Articles 7 and 8 of the Charter. Since, in addition, there is no effective remedy available to data subjects protected by the GDPR, the Court held that the Privacy Shield also violated Article 47 of the Charter. The Court, nevertheless, left the standard data protection clauses as one of the transfer tools available to data exporters, with the understanding that it is up to the data exporter to implement the additional safeguards necessary to compensate for any shortcomings in the third country and achieve an essentially equivalent level of protection. While the judgment provides, to some extent, clear guidance on the application of EU law and maps out a coherent regime as to how data can be transferred, this article reflects on some aspects that remain problematic in practice, both for data exporters in general and for the original complainant in the Schrems litigation in particular. The ‘risk-based approach’ and its recognition are discussed, revealing that ultimately the law, and the Court's judgment, do not seem to allow for certainty in this matter and require the stakeholders to take a position in their respective situations, choosing between a strict or stretched interpretation.