international law,

Schrems II - Implications for Data Flows Post Brexit

By Osama Shaaban Apr 09, 2021

The invalidation of the EU-US Privacy Shield in the advent of the Schrems II case raises a plethora of concerns for the UK’s free flow of data to the European Economic Area (EEA) post-Brexit. With the instant invalidation of the Privacy Shield agreement relied upon by over 5000 corporations within the EU and the US1, transborder data flows have been severely affected as a result of mandating heightened data protection assessments when transferring data out of the EU. This blog piece aims to analyse the Schrems II case and its application to the UK’s current data protection regime to determine if the UK will be granted an ‘adequacy status’. It will assess the UK’s legislative responses to jurisprudence from the Court of Justice of the European Union and discuss how these may act as impediments which prevent the European Commission from reaching an adequacy decision. Finally, this article will evaluate the implications of not being granted an ‘adequacy status’ on the UK’s transborder data flows to the EU upon the expiry of the transition period.    

1) What is an ‘adequacy status’ and why does it matter? 

An ‘adequacy status’ is granted by the European Commission to non-EU countries – which are known as third countries wishing to have free and unimpeded data flow within the European Economic Area. It is granted when a third country’s data protection regime is deemed to provide a level of protection which is ‘essentially  equivalent’2 to EU law. In evaluating the third country’s legal regime, the European Commission looks at, inter alia, the extent to which the rule of law respects human rights and fundamental freedoms, the means of judicial redress afforded to data subjects and the effective functioning of an independent supervisory authority enforcing compliance with data protection rules.3

With the UK becoming a ‘third country’ vis-à-vis the EU, not being granted an adequacy status by the European Commission would result in companies having to resort to alternative methods of legal compliance under the GDPR. Therefore, analysing the legislative frameworks pertaining to the UK in light of Schrems II will allow for the extrapolation of whether such frameworks might be deemed adequate by the European Commission. 

Analysing whether the UK will be granted an adequacy status also matters in the context of the UK being provided with a six month interim period by the EU-UK Trade and Cooperation Agreement4 which stipulates terms on which the EU and the UK will trade following the end of the implementation period on the 31st of December. The Agreement provides that for an interim period lasting 6 months (from the 1st of January 2021), data flows from the EEA to the UK will not be considered as transfers to a third country under EU law. Therefore, the UK has an additional 6 months to ensure that their data protection laws are fully compatible with Schrems II upon the expiry of the interim period.  

2) Will the UK be granted an ‘adequacy status’ in light of Schrems II

The Schrems II5 case arose following the CJEU’s invalidation of the Safe Harbour Agreement in Schrems I in 2015 and concerned a complaint against Facebook. Privacy advocate Max Schrems contended that US surveillance schemes processing data transferred from Facebook Ireland Ltd. to its parent company in the US, Facebook Inc. conflicts with the General Data Protection Regulation (GDPR) and the rights enshrined in the European Charter of Human Rights.6 While Schrems II was concerned with surveillance schemes adopted by US security agencies and their nonconformity with EU law, the principles elucidated by the CJEU can shed light as to whether an adequacy decision might be granted to the UK.

Grounds for the Invalidation of the EU-US Privacy Shield 

In Schrems II, the EU-US Privacy Shield was invalidated on two grounds. 

(a) The mass surveillance of data by US Agencies

The mass surveillance of data by section 702 Foreign Intelligence Surveillance Act and Executive Order 12333 permit the collection of information from EU data subjects in bulk to obtain foreign intelligence information. In Schrems II, the Court of Justice of the European Union (CJEU) ruled that the surveillance of EU data has not been limited to what is strictly necessary7 thus breaching the principle of proportionality.8 9 In particular, the CJEU ruled that Art. 7 and 8 of the Charter10 stipulating the right to private and family life and protection of personal data respectively were violated as the interference with EU data subjects’ rights and freedoms for national security purposes “go beyond the restrictions necessary in a democratic society”.11   

Applying this to the UK, it is questionable whether UK national security and surveillance law is proportionate to its restrictions. A historical chronology of the development of UK legislative frameworks on surveillance would further illustrate this.                    

Requirements for Data Interception under the Investigatory Powers Act

Following the enactment of the Data Retention and Investigatory Powers Act (DRIPA) in 2014, the Tele2/Watson 12 case challenging UK and Swedish data retention laws concluded that the DRIPA framework does not comply with the E-Privacy Directive 2002/58. In particular, the court held that DRIPA’s legislative framework breached the requirement of retaining data to prevent a “serious risk” to public security and permitted warrants for bulk acquisition of data without notifying individuals that their data was being accessed.13 Three criteria can be extracted from the CJEU judgment on how DRIPA had to be reformed to comply with the e-Privacy Directive:14     

(i)           Security Intelligence Agencies (SIAs) must access metadata for a narrow set of purposes 

(ii)          Prior independent review must take place before authorising data interception

(iii)         Data acquisition/retention must be proportionate and targeted towards specific data subjects who must be informed of their data being processed  

Arguably, the first criteria has been addressed because a narrow set of purposes has been stipulated in the IPA about metadata that can be retained by SIAs.15 An exhaustive list has been added to the IPA whereby processing must be justified according to one of six purposes including “interests of national security” and an “applicable crime purpose”. The second criterion has been also addressed through the IPA by introducing a “double lock” for the interception of warrants whereby warrants/notices must be approved by the Secretary of State and subsequently by the Investigatory Powers Commission prior to being authorised for use in data retention.16 This introduced a more robust framework for authorising the use of warrants for data interception.    

However, the third criteria extrapolated from the judgement has not been met as the Act stipulates that the Secretary of State’s power to authorise a warrant would be considered proportionate as long as data retention is justified according to one of six purposes.17 This fails to ensure that data retention is targeted to certain data subjects or a specific class of individuals whose data must be processed according to the justified purpose.18 This is analogous to s.702 FISA discussed in Schrems II where data retention was not targeted and consequently found to be disproportionate. It is therefore clear that both the US and UK data protection SIAs use “national security” as a blanket defence for disproportionate processing of data in bulk. Furthermore, s.174 of the IPA makes it an offence for telecommunication providers to disclose to any person, “without reasonable excuse”, the contents of a warrant.19 The Act potentially implies that informing data subjects of their data being processed is an offence unless authorised by the Secretary of State. This will likely act as an impediment to being granted an adequacy status as the legislation’s default position should be informing data subjects unless there is a legitimate reason not to. 

In light of the previous analysis which highlights that the IPA framework fails to ensure proportionate data acquisition that is transparently disclosed to all affected data subjects, the response of the minister of State for Media and Data20 to the questions posed by the European Scrutiny Committee is concerning. By praising the IPA as “robust, transparent and world-leading”21, Sir William Cash MP seems give too much merit to the UK legislative framework given the third criterion from the Tele2/Watson judgement that has not been addressed.

National Security Considerations in the Investigatory Powers Act 

The IPA framework has been deemed indiscriminate and disproportionate for protecting national security in the Privacy International case.22 In the case, Privacy International, a UK based charity defending rights to privacy bought a case before the Investigatory Powers Tribunal (IPT) against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department, the Government Communications Headquarters (GCHQ) and the UK Security23 and Intelligence24 Agencies challenging the legality of processing bulk communications within the IPA framework due to not being compliant with the E-Privacy Directive and not fully addressing issues identified by Tele2/Watson. However, the UK government argued that the E-privacy Directive does not apply to its processing activities as according to Art.4(2) of the Treaty of the European Union (TEU)25, “national security remains the sole responsibility of each member state”. Since processing occurred for national security purposes, the UK government argued that the E-Privacy Directive does not apply due to national security falling outside the competency of EU law.26 While the CJEU focused on whether EU law has primacy over data processing in the context of national security,27 it also considered whether general and indiscriminate retention of data is permissible under national security purposes as a secondary point. 

Regarding the question of whether national security falls within the competence of EU law, the CJEU ruled that while it is the responsibility of Member States to determine their own security measures, such measures must be in accordance with EU law.28 However, in Schrems II, the CJEU precluded the application of Art.4(2) TEU to the US legal regime as the US is not an EU Member State.29 Therefore, while both Schrems II and Privacy International concerned data processing in the context of ‘national security’, it is clear that the UK government availed of the applicability of the TEU to exclude the disproportionate processing of bulk data by SIAs from the scope of EU law. This, however, will no longer be the case because the UK can no longer take advantage of TEU following the expiry of the transition period. 

However, the CJEU in Privacy International affirmed the applicability of EU law to SIAs processing activities and reiterate what has been discussed in the Schrems II CJEU judgement regarding general and indiscriminate data collection by SIAs for national security purposes, whereby data processing must be proportionate, strictly necessary and targeted according to Art. 15(1) of the E-Privacy Directive 2002/58/EC.30 Therefore, while Privacy International did not evaluate the substantive flaws of the IPA framework, analysing it in conjunction with Schrems II affirms that more robust safeguards for data subjects in the context of national security must be put in place for the UK and the US to be deemed to provide a level of protection “essentially equivalent” to EU law. Contextualising this with Tele2/Watson shows that the IPA framework must address the criteria extracted from the judgment for Sir William Cash MP to describe the IPA as “robust, transparent and world-leading”.

Considerations under the EU-UK Trade Agreement 

It is vital to draw to attention that Article FINPROV.10A of the EU-UK Trade Agreement31 stipulates that if the UK changes its data protection law for reasons other than complying with the EU data protection regime, the interim period automatically comes to an end and the UK becomes a third country vis-à-vis the EU. It is arguable that through this provision, the UK is promising not to use bulk interception of data for national security reasons as the incompatibility of this with EU law has been affirmed through CJEU jurisprudence in Privacy International. Nevertheless, the UK agreeing not to use bulk interception of data is not enough for being granted an adequacy finding upon the expiry of such period.  

Therefore, it is concluded that in order to ensure that the processing of data is proportionate and strictly necessary according to Schrems II, the IPA must address the substantive issues raised in Tele2/Watson by ensuring that data retention is proportionate and targeted, whilst safeguarding data subjects’ by making them fully aware of their data being processed. Hence, at its current form, the IPA framework is not fully “robust, transparent and world-leading”. With the interim period ending on the 1st of July and no reforms being enacted, both judgements read in light of Schrems II present a major setback for the UK obtaining an adequacy decision (pursuant to Art. 45, GDPR).      

(b)  Means for Judicial Redress

The second ground as to why the EU-US Privacy Shield was nullified relates to insufficient means for judicial redress. The creation of the Ombudsperson under the Privacy Shield was declared insufficient by the CJEU because individuals are not able to bring legal action before an impartial and independent court.32 The CJEU justified this point by stating that the “ombudsperson is appointed by the Secretary of State and is an integral part of the US State Department”33thereby alluding to the fact that the judicial body (ombudsperson) is not free from the pressure of the executive. This is detrimental to the impartiality of the ombudsperson who is not able to exert autonomy when making judgements. Furthermore, the CJEU state that although recital 120 of the Privacy Shield agreement stipulates the commitment of the US Government to ensuring that the “Privacy Shield Ombudsperson” corrects violations from SIAs, no provision in the agreement affirms or indicates the “power” of the ombudsperson to adopt decisions that are legally binding on SIAs.34 In light of these issues, the CJEU ruled that the level of protection afforded by the ombudsperson is not “essentially equivalent” to EU law which enshrines a “right to an effective remedy and fair trial” through Article 47 of the Charter of Fundamental Rights.35 As such, two criteria can be extracted from the Schrems II case that must be met for the UK to be granted an adequacy status: (1) that the judicial body responsible for data surveillance issues must be independent and impartial and (2) that the judicial body must have the power to issue legally binding decisions. 

Starting with the first criteria, it is clear that an independent tribunal, specifically, the Investigatory Powers Tribunal (IPT) has been exclusively empowered to hear complaints against the regime and provide redress. This is affirmed through the case of Big Brothers Watch v UK36 which concerned, inter alia, whether the IPT complies with Article 6 (the right to a fair trial) of the European Convention on Human Rights. Since the convention has been woven into EU jurisprudence through the European Charter of Human Rights37, the case provides salient observations on the impartiality of the IPT. The ECtHR ruled that the IPT functions as an independent body and that hosting meetings with Security Services such as MI5 does not undermine the tribunal’s impartiality insofar as fairness, justice and procedural regularity for court hearings are concerned.38 The ECtHR additionally ruled that the tribunal is exempt from having public hearings in instances where information disclosed from parties pertains to national security and that this does not infringe on the transparency of the tribunal and thus its impartiality in the eyes of the public.39

Moving to the second criteria, the ability of the IPT to issue legally binding decisions against the executive branch (i.e. government) is evidenced through the case of Liberty40. The IPT ruled in the case that Article 8 and Article 10 of the ECHR enshrining the right to private and family life and the right to freedom of expression respectively have not been “in accordance with the law”41 as necessary in a democratic society and have thus been violated. Liberty was the first case ruled by the IPT that was found against the government and proved that the judicial framework for redress is more effective than the ombudsperson mechanism in the US as the executive branch can be held accountable when contravening the law. The effectiveness of the IPT in being able to challenge the executive is furthermore demonstrated in the case of Belhadj & Others42 where Security Services’ surveillance schemes (operating under the auspices of the government) were found to contravene the Regulation of the Investigatory Powers Act 2000.43

Another indication that does not directly fall within the Schrems II independent tribunal criteria but could act as an advantage for the UK being granted an adequacy is section 242 of the Investigatory Powers Act 2018,44 which allows parties to appeal from decisions concluded in the IPT to the Court of Appeal. This domestic route of appeal ostensibly provides individuals with further access to judicial redress which is a promising step towards the UK being granted an adequacy decision.    

As such, the UK has an effective judicial redress framework and this could act as an advantage when the European Commission considers granting the adequacy status.   

3) What if the UK is not granted an ‘adequacy status’? 

If the UK is not granted an ‘adequacy status’, companies wishing to import/export data from the EEA must resort to alternative methods of legal compliance such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).45 The case holds that companies using SCCs must implement additional safeguards by assessing SCCs on a case-by-case basis in context of the third country’s legal regime.46 Despite the ICO amending the SCC template following Schrems II to maximise protection by design,47 corporations do not have any guidelines as to how they can assess data exports. This creates practical difficulties for UK corporations relying on SCCs (in the event of no adequacy being granted) as they are obliged by the Schrems II judgement to revisit their terms to establish a comprehensive framework not undermining data subjects’ rights under Art. 44,48 albeit with no guidelines from the ICO on how such protection can be fulfilled.  With such an onerous burden, corporations will likely apply divergent levels of understanding when assessing data exports which runs the risk of not achieving the wider GDPR policy objective of data protection. However, the severity of this burden in light of the Schrems II case remains unaffected in the context of UK companies as firstly, the UK will not be regarded as a third country during the six-month interim period according to the EU-UK Trade Agreement and secondly, the UK legislature has transposed GDPR laws locally through the Data Protection, Privacy and Electronic Communications statutory instrument49 which mirrors the GDPR and thus evidences the UK’s continued compliance with EU law and jurisprudence in Schrems II.

Given the fact that BCRs create legally binding internal rules for data transfers approved by a data protection authority in accordance with Art. 46 GDPR, they are seen as a more feasible and durable method of alternative legal compliance due to not being subject to the same protective standard applied to SCCs in Schrems II.50 UK companies relying on BCRs enjoy a greater deal of flexibility as the competent supervisory authority does not need to evidence ‘non-material updates to BCRs’ thus saving time and costs.51 However, it should be noted that BCRs are not practically useful as they exclusively apply to data transfers within a corporate group.52 The practical utility of BCRs may thus be limited because they cannot enable wider data transfers outside the corporate groups. 

Art. 49 derogations53 are an alternative method of legal compliance that can be applied to a very limited set of circumstances and can be used when SCCs or BCRs cannot be utilised. The European Data Protection Board (EDPB) applies stringent criteria when authorising data transfers under Art. 49 derogations whereby the transborder transfer of data must be strictly necessary for one of seven derogations recognised by the EBDP.54 For instance, if the derogation relied upon is “necessary for the performance of a contract”,55 the EBDP must establish, inter alia, a “close and substantial connection between the transfer and purpose of the contract”.56 The stringent criteria applied by the EBDP when authorising data transfers under Art.49 derogations indicate that they must be used as a last resort and are thus not of practical utility to firms in the event of no adequacy being granted.   

Hence, it seems SCCs  are the only option which corporations can rely on for data transfers to the EEA in the event of no adequacy being granted; although their application remains highly uncertain in light of Schrems II.


This blog piece aims to shed light on the implications of the Schrems II case on post-Brexit data flows in the context of cases decided by the CJEU that highlight areas that must undergo legislative reform to ensure an adequacy status is granted.  Since the interim period stipulated in the EU-UK Trade Agreement is due to expire on the 1st of July, the UK parliament has a six-month period through which it must urgently enact legislative reforms following issues raised in Schrems II concerning proportionality of data processing as well as issues regarding indiscriminate retention of bulk data and the lack of safeguards in the IPA framework according to Privacy International and Tele2/Watson to ensure an adequacy status is granted. It is concluded that in the event of no adequacy being granted upon the expiry of the interim period, companies seeking unencumbered EU-UK data flows must rely on alternative methods of legal compliance. Given the narrow transfer of data within the remit of BCRs and the stringent criteria applied to Art. 49 derogations which must be used as a last resort, companies have no choice but to rely on SCCs which create onerous burdens on firms given the lack of guidance from data protection authorities including the ICO.

Osama Dorgham Kamel Shaaban

I would like to express my sincerest thanks to Mr Ben Davies for his invaluable insight and support on my article, in addition to the editors of the LSE Law Review for feedback on my piece.

[1] Brian Hengesbaugh, ‘What Privacy Shield Organisations should do in the wake of ‘Schrems II’ ‘, (International Association of Privacy [IAPP], 17 July 2020) «» accessed 23 November 2020

[2] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, art 45(2)   

[3] Ibid.

[4] Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other Part (FINPROV.10A) [2020] OJ L444/2020 (EU-UK Trade Agreement).

[5] Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020]CJEU.

[6] Schrems II (n 5) [2].

[7] Schrems II (n 5) [181], [182], [192].

[8] Charter of the Fundamental Rights of the European Union (CFR) 2000/C 364/01, art 52(1).

[9] Schrems II (n 5) 174.

[10] CFR, art 8: Respect for Private and Family Life. 

[11] Schrems II (n 5) [30(a)].

[12] Cases C-203/15 & C-698/15 Tele2 Sverige AB v Post -och telestyrelsen and Secretary of State for the Home Department v Tom Watson, Peter Brice, Goeffrey Lewis, Open Rights Group, Privacy International, The Law Society of England and Wales [2016] CJEU.

[13] Data Retention and Investigatory Powers Act 2014, s 1 – this section requires public telecommunications operators to retain all communications data for a maximum of 12 months where required by the secretary of state without notifying individuals.

[14] Tele2/Watson (n 11)[55], [95], [100]. 

[15] Investigatory Powers Act (IPA) 2016, s 87.

[16] GCHQ, ‘Investigatory Powers Act – GCHQ’s mission is predominantly governed by the Investigatory Powers Act 2016’ (Government Communications Headquarters, 2016) .«» accessed 16 January 2021.

[17] Ibid.

[18] Graham Smith, ‘The UK Investigatory Powers Act 2016 – what will it mean for your business’ (Bird & Bird, 2016) <> accessed 15 January 2021.

[19] IPA, s 174.

[20] Rt. Hon John Whittingdale OBE MP, Response to; Commission Communication: ‘Data protection as a pillar of citizens’ empowerment’ (Department for Digital, Culture, Media & Sport, Government of the United Kingdom), 18 Sept. 2020 para 2 «» accessed 26 November 2020.

[21] ibid. Page 4 para 4. 

[22] Case C-623/17 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others [2020] CJEU.

[23] The Security Service (United Kingdom) MI5. 

[24] The Secret Intelligence Service (United Kingdom) MI5.

[25] Consolidated Version of The Treaty on European Union [2016] OJ C202/16.

[26] Evans M. and Regan J., ‘Two New CJEU Judgements further tighten limits of government surveillance – significant for impending UK Adequacy decision and “Schrems II country assessments” ‘ (Norton Rose Fullbright, 15 Oct 2020) «» accessed 22 November 2020.

[27] Tele2/Watson (n 11)[167]. 

[28] Ibid 90. 

[29] Schrems II (n 5) [81].

[30] Directive 2002/58/EC of the European Parliament of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and electronic communications) [2002] OJ L201/37, art 15(1).

[31] EU-UK Trade Agreement. 

[32] Schrems II (n 5)[186].

[33] Ibid [195].

[34] Ibid [196].

[35] CFR, art 47.

[36] Big Brother Watch & Ors v United Kingdom App No.58170/13(ECtHR, 13 Sep 2018). 

[37] Article 6 of the ECHR is the equivalent of Article 47 of the European Charter of Fundamental Rights; right to an effective remedy and to a fair trial - as previously identified in Schrems II (n 5).

[38] Big Brother Watch (n 36) [509], [510].

[39] Ibid [511].

[40] Liberty (The National Council of Civil Liberties) & Others v The Secretary of State for Foreign and Commonwealth Affairs & Others [2015] UKIPTrib 13_77-H, Case No. IPT/13/77/H.

[41] Ibid [97].

[42] Investigatory Powers Tribunal Belhadj and Others v Security Service and others [2015] UKIPTrib 13_77-H, Case No. IPT/13/132-9/H & IPT/14/86/CH.

[43] Regulation of Investigatory Powers Act 2000.

[44] IPA 2016, s 242.

[45] Andrew Dunlop, ‘Standard Contractual Clauses and EU-US Privacy Shield – under Scrutiny’ (Burges Salmon, 3 July 2019) <> accessed 16 November 2020.

[46] Schrems II (n 5).

[47] Information Commissioner’s Office (ICO), ‘Keep data flowing from the EEA to the UK – interactive tool’ «» accessed 26 November 2020.

[48] Lorna Woods, ‘ “You were only supposed to Blow the Bloody Doors Off!”: Schrems II and external transfers of personal data’ (EU Law Analysis, 16 July 2020) «» accessed 17 November 2020.

[49] Statutory Instrument No. 419 – The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU EXIT) Regulations 2019. 

[50] European Commission, ‘Binding Corporate Rules (BCR) – Corporate Rules for Data Transfers within Multinational Companies’ (European Commission, 25 May 2018) «» accessed 1 December 2020.

[51] PriceWaterhouseCoopers, ‘Binding Corporate Rules’ (PriceWaterhouseCoopers, 2019) «» accessed 1 December 2020.

[52] William Fry, ‘Binding Corporate Rules’ (Lexology, 19 March 2013)«,be%20intensive%20and%20drawn%20out.> > accessed 23 December 2020.

[53] GDPR, art 49.

[54] Ibid art 49(a) to (g).

[55] Ibid art 49(b).

[56] Elisabeth Dehareng ‘Data Transfers: Derogations for Specific Situations, Art.49 GDPR’ (Baker McKenzie, 2020) <> accessed 17 January 202.

Article by Osama Shaaban
LLB (Hons.) Oxford Brookes University '21