What Is Schrems II and How Does It Impact Your Business Contracts?

The clock is ticking. If you have customers in the EU, or if you handle customer information for businesses that do, then you’re running out of time to get your data privacy clauses up to date, thanks to Schrems II.

What is Schrems II?

On July 16, 2020, the European Court of Justice (ECJ) issued what is commonly known as the “Schrems II” decision. This court case, Data Protection Commissioner v. Facebook Ireland Ltd., stemmed from the second complaint filed by Maximilian Schrems against Facebook’s Ireland subsidiary regarding the transfer of personal data to Facebook, Inc. in the United States.

Context of Schrems II

First, it’s helpful to look at the context of the Schrems II judgment. In 2001 and 2010, the European Commission created a set of standard contractual clauses (SCCs) to promote good data privacy practices on the part of any business gathering personal data from customers in the EU and exporting that data to entities outside the EU. Personal data refers to information a business collects from customers that could be used to identify those customers, from names and contact information to web browsing habits.

In 2016, the EU and the US together created the Privacy Shield Framework to provide guidelines for the secure transfer of customer data from businesses in the EU to business partners in the US. The European Union then created the General Data Protection Regulation (GDPR), administered by the European Data Protection Board, in 2018.

Schrems II summary and impact

The GDPR prohibits data transfers out of the EU without adequate safeguards. The first component of those safeguards is an adequacy decision by the European Commission. This means that the data protection laws in the country where the receiving entity is located are essentially equivalent to the GDPR.

The second component is a mechanism for the transfer. When the GDPR was created, the then-existing SCCs were still considered adequate to protect personal data flows between businesses.

The argument raised in Schrems II, however, was that the Privacy Shield and SCCs were insufficient to prevent public authorities (namely, intelligence agencies) in the US from gaining access to Facebook users’ personal data while it was in transit to or being stored in the US. The ECJ responded by invalidating the EU-US Privacy Shield, determining that the data transfer mechanisms it laid out were insufficient.

Regarding the SCCs, the high court ruled that they were still viable data transfer mechanisms, but they required additional safeguards. Accordingly, the European Commission released an updated version of the SCCs in June 2021 to address gaps and clarify gray areas.

Now, organizations that transfer or receive EU customer data must update their contracts to comply with the new SCCs by the 2022 deadline.

Critical dates for Schrems II

The prior version of the SCCs expired on September 27, 2021. Data exporters and importers that previously relied on the old version of the SCCs must now use the updated version of the SCCs in any new data processing agreements they enter.

However, that leaves the issue of noncompliant legacy contracts that are still in effect. Businesses exporting or receiving customer data from the EU must update all outdated language throughout their existing contracts to conform to the new SCCs by December 27, 2022.

What you need to do with your contracts

There are many steps that businesses exporting or importing personal data need to take to ensure compliance with shifting data privacy regulations. Here’s a contract-specific list to help in-house counsel, compliance officers, and contract managers get their commercial agreements in line with the new SCCs:

  1. Get all of your relevant contracts and related documents together in one place.
  2. Review relevant clauses throughout your contract portfolio to identify (a) provisions that are already compliant with the new SCCs, (b) outdated language that needs to be updated by December, and (c) any agreements that are already noncompliant right now.
  3. Prepare standard language that’s compliant with the new SCCs, if you haven’t already.
  4. Prioritize agreements based on urgency, including current compliance status and the magnitude of risk exposure that each contract presents.
  5. Coordinate with all relevant stakeholders, including the party/ies on the other side of each agreement.
  6. Update the most urgent documents first, then move down the list until all of your agreements are ready for the new SCC standards.
  7. Track compliance on an ongoing basis once you’ve executed the revised agreements.

How Evisort can help 

That might sound like a lot of work, especially if you have thousands of active contracts and you’re just getting started. No need to panic — that’s why we’re here. Evisort’s powerful machine learning and natural language processing capabilities can help you quickly organize your contracts, identify noncompliant language throughout your portfolio, and efficiently update it.

Here are some of the key benefits of using Evisort’s best-in-class contract AI for regulatory compliance and risk management:

Remediate with confidence

Quickly centralize all of your contracts in a single source of truth, triage, and update agreements, all without manual data entry or expensive, time-consuming outsourcing. Create new templates, generate amendments, and draft all-new data processing agreements crafted from scratch to comply with the new SCCs, then negotiate and execute them — all from one end-to-end platform.

Get answers on demand

Automatically search, report, and get notifications on your data privacy commitments. Find key clauses, identify gaps, and assess your business’s risk exposure. Identify and track both executed and unexecuted contracts.

Respond faster to breaches

Automatically track all of your contractual obligations to provide notice to clients or vendors regarding data breaches. See exactly how much time you have to give notice in the event of a breach — meaning you’ll have one fewer fire drill to worry about.

Adapt efficiently

Search for compliant and noncompliant language throughout your entire contract database, find and retroactively track clauses related to data privacy laws, enforce data privacy terms when generating new contracts, and ensure proper review for other new data privacy regulations as they emerge.

Evisort’s contract intelligence helps you get ahead of compliance challenges instead of perennially trying to catch up and put out fires.

Ready to learn more about how you can quickly get compliant with the new SCCs well ahead of the impending deadline? Check out our webinar with data privacy and compliance expert Debbie Reynolds.


The clock is ticking. If you have customers in the EU, or if you handle customer information for businesses that do, then you’re running out of time to get your data privacy clauses up to date, thanks to Schrems II.

What is Schrems II?

On July 16, 2020, the European Court of Justice (ECJ) issued what is commonly known as the “Schrems II” decision. This court case, Data Protection Commissioner v. Facebook Ireland Ltd., stemmed from the second complaint filed by Maximilian Schrems against Facebook’s Ireland subsidiary regarding the transfer of personal data to Facebook, Inc. in the United States.

Context of Schrems II

First, it’s helpful to look at the context of the Schrems II judgment. In 2001 and 2010, the European Commission created a set of standard contractual clauses (SCCs) to promote good data privacy practices on the part of any business gathering personal data from customers in the EU and exporting that data to entities outside the EU. Personal data refers to information a business collects from customers that could be used to identify those customers, from names and contact information to web browsing habits.

In 2016, the EU and the US together created the Privacy Shield Framework to provide guidelines for the secure transfer of customer data from businesses in the EU to business partners in the US. The European Union then created the General Data Protection Regulation (GDPR), administered by the European Data Protection Board, in 2018.

Schrems II summary and impact

The GDPR prohibits data transfers out of the EU without adequate safeguards. The first component of those safeguards is an adequacy decision by the European Commission. This means that the data protection laws in the country where the receiving entity is located are essentially equivalent to the GDPR.

The second component is a mechanism for the transfer. When the GDPR was created, the then-existing SCCs were still considered adequate to protect personal data flows between businesses.

The argument raised in Schrems II, however, was that the Privacy Shield and SCCs were insufficient to prevent public authorities (namely, intelligence agencies) in the US from gaining access to Facebook users’ personal data while it was in transit to or being stored in the US. The ECJ responded by invalidating the EU-US Privacy Shield, determining that the data transfer mechanisms it laid out were insufficient.

Regarding the SCCs, the high court ruled that they were still viable data transfer mechanisms, but they required additional safeguards. Accordingly, the European Commission released an updated version of the SCCs in June 2021 to address gaps and clarify gray areas.

Now, organizations that transfer or receive EU customer data must update their contracts to comply with the new SCCs by the 2022 deadline.

Critical dates for Schrems II

The prior version of the SCCs expired on September 27, 2021. Data exporters and importers that previously relied on the old version of the SCCs must now use the updated version of the SCCs in any new data processing agreements they enter.

However, that leaves the issue of noncompliant legacy contracts that are still in effect. Businesses exporting or receiving customer data from the EU must update all outdated language throughout their existing contracts to conform to the new SCCs by December 27, 2022.

What you need to do with your contracts

There are many steps that businesses exporting or importing personal data need to take to ensure compliance with shifting data privacy regulations. Here’s a contract-specific list to help in-house counsel, compliance officers, and contract managers get their commercial agreements in line with the new SCCs:

  1. Get all of your relevant contracts and related documents together in one place.
  2. Review relevant clauses throughout your contract portfolio to identify (a) provisions that are already compliant with the new SCCs, (b) outdated language that needs to be updated by December, and (c) any agreements that are already noncompliant right now.
  3. Prepare standard language that’s compliant with the new SCCs, if you haven’t already.
  4. Prioritize agreements based on urgency, including current compliance status and the magnitude of risk exposure that each contract presents.
  5. Coordinate with all relevant stakeholders, including the party/ies on the other side of each agreement.
  6. Update the most urgent documents first, then move down the list until all of your agreements are ready for the new SCC standards.
  7. Track compliance on an ongoing basis once you’ve executed the revised agreements.

How Evisort can help 

That might sound like a lot of work, especially if you have thousands of active contracts and you’re just getting started. No need to panic — that’s why we’re here. Evisort’s powerful machine learning and natural language processing capabilities can help you quickly organize your contracts, identify noncompliant language throughout your portfolio, and efficiently update it.

Here are some of the key benefits of using Evisort’s best-in-class contract AI for regulatory compliance and risk management:

Remediate with confidence

Quickly centralize all of your contracts in a single source of truth, triage, and update agreements, all without manual data entry or expensive, time-consuming outsourcing. Create new templates, generate amendments, and draft all-new data processing agreements crafted from scratch to comply with the new SCCs, then negotiate and execute them — all from one end-to-end platform.

Get answers on demand

Automatically search, report, and get notifications on your data privacy commitments. Find key clauses, identify gaps, and assess your business’s risk exposure. Identify and track both executed and unexecuted contracts.

Respond faster to breaches

Automatically track all of your contractual obligations to provide notice to clients or vendors regarding data breaches. See exactly how much time you have to give notice in the event of a breach — meaning you’ll have one fewer fire drill to worry about.

Adapt efficiently

Search for compliant and noncompliant language throughout your entire contract database, find and retroactively track clauses related to data privacy laws, enforce data privacy terms when generating new contracts, and ensure proper review for other new data privacy regulations as they emerge.

Evisort’s contract intelligence helps you get ahead of compliance challenges instead of perennially trying to catch up and put out fires.

Ready to learn more about how you can quickly get compliant with the new SCCs well ahead of the impending deadline? Check out our webinar with data privacy and compliance expert Debbie Reynolds.