Winter is Here: The Impossibility of Schrems II for U.S.-Based Direct-to-Consumer Companies

Zimmer, Vanessa | October 24, 2022

In this paper, Vanessa Zimmer exposes the precarious position of Direct-to-Consumer (DTC) companies that are physically located in the United States but still subject to the European General Data Protection Regulation (GDPR) under Article 3(2) because they offer goods or services to European consumers online. Standard Contractual Clauses (SCCs) and supplementary measures have dominated privacy conversions in the year since the European Court of Justice invalidated the EU-U.S. Privacy Shield framework with its Schrems II decision. However, Zimmer argues that the greater issue for U.S.-based DTC companies is the lack of clarity over what constitutes an international, or restricted, transfer under the GDPR in the first place. Is an international transfer any physical transfer of personal data from within the European Economic Area to outside its borders (the so-called “geographic” definition of international transfer) regardless of whether the foreign recipient is already directly subject to the GDPR? Or, is an international transfer only considered such if the recipient is located outside of the European Economic Area and not already directly subject to the GDPR (the so-called “jurisdictional” definition of international transfer)? Zimmer explains the rationale for each position and ultimately argues in favor of a jurisdictional definition of international transfers. The European Data Protection Board of the European Commission (the EDPB) and individual Member State supervisory authorities have repeatedly failed to define international transfers since the passage of the GDPR. This repeated failure to clarify the interplay between the territorial scope of the GDPR under Article 3(2) and the transfer restrictions of the GDPR under Chapter V has left U.S.-based DTC businesses uncertain of whether they are making international transfers under the GDPR and whether they must subsequently implement safeguards, such as SCCs, to protect those transfers. Zimmer explains how the Schrems II decision exposed the EDPB’s failure and exacerbated the already uncertain status of European personal data processing by U.S.-based DTC companies. The EDPB has further complicated the status of international transfers in its post-Schrems II guidance and its issuance of new SCCs for international transfers. Zimmer contends that it is vital for the sake of transatlantic trade and the continued integrity of the EDPB that the EDPB clearly defines international transfers and explains the applicability of transfer mechanisms to U.S.-based DTC companies.