Schrems II

Schrems II is the shorthand for the ruling of the Court of Justice of the European Union in case C-311/18, handed down on 16 July 2020. The plaintiff was the Austrian lawyer Maximilian Schrems, who since 2013 has challenged the transfer of his user data from Facebook Ireland to its US parent company. The same plaintiff had already, in 2015, brought down the Safe Harbor framework through ruling C-362/14 (Schrems I).

The case concerned whether the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield were valid legal bases for transferring personal data from the EU to the United States under the GDPR.

The CJEU declared the EU-US Privacy Shield Decision 2016/1250 invalid. The reasoning rested on US surveillance laws, in particular Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. These laws allow US authorities access to personal data on a scale that, in the courts view, fails the European proportionality test. Affected individuals also lack effective judicial remedies before US courts.

Standard Contractual Clauses remained valid in principle, but with a tightened review duty: data exporters must assess before each transfer whether the recipient country offers a level of protection comparable to that of the EU. If not, additional technical, contractual or organisational measures are required. This review is known as a Transfer Impact Assessment (TIA).

For EU businesses using US services, the ruling produced three central consequences. First, every transfer to a third country must be preceded by a Transfer Impact Assessment. Second, technical and organisational safeguards qualify only if they actually prevent access by US authorities. The CJEU explicitly named end-to-end encryption with keys not held by the US provider as a qualifying example. Third, liability rests primarily with the data exporter in the EU, not with the US recipient.

Several European data protection authorities have since imposed fines on companies using US services without adequate safeguards. In January 2022 the Austrian Data Protection Authority found the use of Google Analytics on an Austrian website to be unlawful. Comparable decisions followed in France, Italy and Liechtenstein.

The ruling has reshaped the market for European software and cloud providers. Vendors from EU member states and countries with an adequacy decision (Switzerland, Norway, United Kingdom) actively market the fact that they do not require a Transfer Impact Assessment. Examples include Proton Mail, Tutanota and Mailbox.org in email, Plausible and etracker in web analytics, and Hetzner, OVHcloud and Scaleway in cloud hosting.

The German Conference of Independent Data Protection Supervisory Authorities (DSK) noted in November 2020 that, in many cases, choosing an EU provider is the simplest path to GDPR compliance. The German Federal Commissioner for Data Protection (BfDI) explicitly pointed to European alternatives in 2022.

In July 2023 the EU-US Data Privacy Framework entered into force as the successor to the Privacy Shield. On this basis, data transfers to certified US companies are again possible without additional SCCs. Maximilian Schrems has announced that he will challenge the new framework before the CJEU; observers expect a decision in 2026 or 2027. Until then the Schrems II requirements remain binding for all transfers not covered by DPF certification.