Glossary
Schrems II
The 2020 CJEU judgment (Case C-311/18) that invalidated the EU-US Privacy Shield and tightened third-country transfer rules. EU exporters must verify case-by-case whether the destination country provides essentially equivalent protection to EU data-protection law. The practical consequence for whistleblowing platforms: EU hosting is the safe path. The successor EU-US Data Privacy Framework faces ongoing legal challenges.
Full definition
Schrems II (Case C-311/18, judgment of 16 July 2020) invalidated the EU-US Privacy Shield framework and imposed strict scrutiny on Standard Contractual Clauses (SCCs) for personal-data transfers to third countries. The court held that EU exporters must verify, on a case-by-case basis, whether the destination country provides 'essentially equivalent' protection to EU data-protection law. The practical consequence for whistleblowing platforms: EU-hosted is the safe path. The successor framework, the EU-US Data Privacy Framework, is in force since July 2023 but faces ongoing legal challenges.
Related terms
- GDPR Regulation (EU) 2016/679, the General Data Protection Regulation, governs processing of personal data of EU residents. Whistleblowing channels process personal data of the reporter, the person reported on, and third parties named in the report. Key articles: Art. 6 (legal basis), Art. 5 (minimisation), Art. 9 (special categories), Art. 17 (erasure), and Art. 30 (records).
- Data Residency The geographic location where personal data is stored and processed. For EU whistleblowing channels, EU-only data residency is strongly preferred because it avoids GDPR Chapter V transfer complications, aligns with national whistleblower laws like Loi Sapin II, and simplifies the Article 6 legal-basis analysis. Confidly hosts all data in EU data centres.