Schrems II refers to the July 2020 ruling by the Court of Justice of the European Union (CJEU) in the case Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. The decision struck down the EU-U.S. Privacy Shield as an invalid legal mechanism for transferring personal data from the EU to the U.S.
The core reason? U.S. surveillance programs, governed by laws such as FISA 702 and EO 12333, were deemed incompatible with EU privacy standards, particularly because EU citizens lacked enforceable legal remedies in the U.S.
1. Privacy Shield Is No Longer Valid
The CJEU ruling in Schrems II (July 2020) invalidated the EU-U.S. Privacy Shield, making it illegal to rely solely on this framework for data transfers from the EU to the U.S.
2. Standard Contractual Clauses (SCCs) Must Be Supplemented
Companies can still use SCCs for international transfers, but must now assess the recipient country’s surveillance laws and implement additional protection if necessary.
3. Schrems II Demands Accountability
Organisations are now expected to document transfer impact assessments (TIAs), apply technical protection, and ensure the enforceability of EU data subject rights even outside the EU.
If your company transfers personal data from the EU to third countries, including the U.S., you cannot rely on the Privacy Shield. Instead, you must:
• Use SCCs, Binding Corporate Rules, or approved codes of conduct.
• Conduct a Transfer Impact Assessment (TIA) to determine if the destination country offers an equivalent level of data protection.
• Implement supplementary measures, such as encryption or pseudonymisation, especially if the importing country has invasive surveillance practices.
In a post-GDPR world, data transfers are heavily scrutinised. Schrems II has made compliance more complex, placing the burden squarely on businesses to verify whether international transfers are safe and lawful.
This means that data exporters need to:
• Audit their data flows
• Classify third countries’ legal environments.
• Strengthen technical and legal protection.
Non-compliance can result in significant fines, reputational damage, and operational disruptions.
1. Map Your Data Flows
Know precisely what personal data is being transferred, and where it’s going.
2. Assess Legal Risks in the Destination Country
Review foreign laws and determine if they respect EU-like data protection rights.
3. Use Strong Encryption and Anonymisation
Protect data from unauthorised access, even if it’s intercepted.
4. Update Contracts
Ensure that SCCs are included in all relevant contracts and that they accurately reflect current requirements.
5. Consult Legal Experts
Regulatory interpretations continue to evolve. Regularly review compliance measures with a data protection advisor.
1. What is the primary outcome of the Schrems II ruling?
The CJEU invalidated the EU-U.S. Privacy Shield as a lawful basis for transatlantic data transfers due to inadequate protection against U.S. surveillance and the lack of legal remedies for EU citizens.
2. Are Standard Contractual Clauses (SCCs) still valid after Schrems II?
Yes, SCCs remain valid, but only if the data exporter ensures that the importing country’s laws don’t undermine their effectiveness. Supplementary measures may be necessary.
3. What are Transfer Impact Assessments (TIAs)?
TIA is an evaluation conducted by data exporters to assess the legal environment of the destination country and determine if additional precautions are needed for the transfer.
4. What happens if I continue using the Privacy Shield?
Using Privacy Shield post-Schrems II violates the GDPR. Regulators can issue fines and suspend data flows, and your company could face litigation from affected data subjects.