Schrems II Explained: What the End of Privacy Shield Means for Your Business

On July 16, 2020, the Court of Justice of the European Union issued a ruling that sent shockwaves through the tech industry. In the case known as Schrems II, the court invalidated the EU-US Privacy Shield framework that thousands of companies relied on for transatlantic data transfers. Understanding this ruling is essential for any business making infrastructure decisions today.

The Background: Max Schrems vs. Facebook

Austrian privacy activist Max Schrems first challenged Facebook's data transfers to the US in 2013. His complaint led to Schrems I in 2015, which invalidated the previous Safe Harbor framework. The EU and US then negotiated Privacy Shield as a replacement.

Schrems challenged Privacy Shield too, arguing it didn't adequately protect EU citizens' data from US surveillance. The CJEU agreed.

What the Court Decided

The CJEU's ruling made several key findings:

• 1 Privacy Shield is invalid. US surveillance laws, particularly Section 702 of FISA and Executive Order 12333, allow mass collection of data that violates EU fundamental rights. Privacy Shield's oversight mechanisms don't provide adequate remedies for EU citizens.
• 2 Standard Contractual Clauses remain valid—but with conditions. SCCs can still be used, but data exporters must assess whether the recipient country's legal framework allows the importer to comply. If not, supplementary measures are required.
• 3 Assessment is mandatory. Companies cannot blindly rely on SCCs. They must conduct Transfer Impact Assessments (TIAs) to evaluate the legal situation in the recipient country.

The Practical Impact

Overnight, thousands of companies found their US data transfers on shaky legal ground. The ruling created several immediate challenges:

The Data Privacy Framework: A New Hope?

In 2023, the EU and US announced the EU-US Data Privacy Framework as Privacy Shield's successor. The US issued Executive Order 14086 to address the court's concerns about surveillance oversight.

However, the framework faces ongoing legal challenges. Privacy advocates, including Max Schrems' organization noyb, have already indicated they will challenge the new framework. Many experts expect a "Schrems III" ruling within a few years.

For businesses, this creates continued uncertainty. Building your infrastructure on a legal framework that might be invalidated again is risky.

Why This Keeps Happening

The fundamental problem isn't inadequate agreements—it's incompatible legal systems. US law grants intelligence agencies broad surveillance powers with limited oversight for non-US persons. EU law treats privacy as a fundamental right that can only be restricted under strict conditions.

No agreement between governments can fully resolve this tension. As long as US surveillance law remains unchanged, any framework will face legal challenges based on the same fundamental rights arguments that sank Safe Harbor and Privacy Shield.

The Structural Solution: EU-Only Processing

The only way to completely avoid Schrems-related risks is to avoid transatlantic transfers entirely. When you process personal data exclusively within the EU using EU-incorporated providers, the entire framework of international transfer rules simply doesn't apply.

This isn't always possible—some services have no EU alternatives. But for many common business functions, including email, it's entirely feasible. German providers, in particular, offer robust alternatives that eliminate transfer concerns completely.

Lessons for Infrastructure Decisions

Schrems II offers several lessons for businesses making technology choices:

• • Legal frameworks can change overnight. What's compliant today might not be tomorrow.
• • Fundamental conflicts don't get resolved easily. Expect continued uncertainty around US transfers.
• • Architecture decisions have compliance implications. Choosing where data is processed is a strategic decision.
• • Simplicity has value. Avoiding transfers entirely is simpler than managing transfer compliance.

Moving Forward

Whether you're evaluating new vendors or reassessing existing relationships, consider Schrems II implications carefully. For data processing that doesn't require US-based services—and most doesn't—European alternatives offer a path to stable, defensible compliance.

The companies that will navigate future privacy rulings most smoothly are those that minimize their exposure to international transfer complexity today.