Glossary · EU Court Ruling Schrems II
The 2020 European Court of Justice ruling that invalidated the EU-US Privacy Shield, making transatlantic data transfers legally precarious for European businesses.
## What Schrems II actually ruled
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued judgment in Case C-311/18, known as Schrems II. The ruling did two things:
1. **Invalidated the EU-US Privacy Shield** — the framework that had allowed US companies to self-certify GDPR-equivalent data protection standards
2. **Tightened requirements for Standard Contractual Clauses (SCCs)** — the contractual mechanism still allowed for transatlantic data transfers
The case was brought by Max Schrems, the Austrian privacy lawyer who'd already invalidated the Privacy Shield's predecessor (Safe Harbor) in Schrems I (2015).
## Why the Privacy Shield was struck down
The CJEU found two fundamental problems with US legal protections for EU data:
1. **US surveillance programs** (notably FISA Section 702 and Executive Order 12333) allow bulk surveillance of foreign nationals without judicial oversight equivalent to EU standards
2. **No effective remedy** for EU citizens whose data was subject to US surveillance — no judicial recourse comparable to what GDPR requires
The court concluded that US legal protections fall below the "essentially equivalent" standard GDPR requires for international data transfers.
## What this means in practice
After Schrems II, European businesses sending personal data to the US have three options:
**1. Use Standard Contractual Clauses (SCCs) with additional safeguards.** SCCs remain valid but the burden falls on the data exporter (the EU business) to assess whether US legal protections are adequate in their specific circumstances. This Transfer Impact Assessment (TIA) is operationally complex.
**2. Use EU-resident processing only.** Avoid the transatlantic transfer entirely by choosing EU-headquartered providers with no US corporate ties. This is the strongest legal protection.
**3. Use the EU-US Data Privacy Framework (DPF).** Adopted July 2023, the DPF replaces the Privacy Shield with strengthened protections. Privacy advocates including Max Schrems have already announced plans to challenge the DPF in court (Schrems III).
For most European businesses, option 2 (EU-resident processing) provides the cleanest legal posture. Options 1 and 3 work but carry ongoing legal uncertainty.
## What "Schrems III" might bring
The EU-US Data Privacy Framework (DPF), in force since 2023, is the current basis for transatlantic data transfers. Key changes from the Privacy Shield:
- New "Data Protection Review Court" provides judicial oversight of US intelligence access to EU data
- Stricter limitations on bulk data collection
- Specific commitments on proportionality and necessity
The legal challenge already filed by NOYB (None Of Your Business — Schrems's organization) argues these reforms still fall short of GDPR's "essentially equivalent" standard. A future Schrems III ruling could invalidate the DPF, returning the transatlantic transfer landscape to post-Schrems-II uncertainty.
Timeline: a CJEU ruling on the DPF could come 2026-2027.
## Why this matters for tool choice
For European businesses making vendor decisions in 2026:
- **The DPF is currently valid** but legally uncertain
- **SCCs remain the safer fallback** but require ongoing TIA compliance work
- **EU-resident providers** avoid the transfer issue entirely
For sensitive use cases (health data, employee data, customer data of vulnerable populations), the prudent path is choosing EU-resident providers from the start. For routine business workloads, US providers under the DPF + SCCs remain workable but should be reviewed periodically.
Schrems II isn't a one-time event — it's an ongoing legal tension that periodically resurfaces. Treating it as background context rather than crisis-of-the-month is the operationally sound approach.
Was this helpful?
Thanks for your feedback!