Policy Briefing — CJEU Schrems II Decision
Authoritative guide to the CJEU’s Schrems II decision, why the EU-U.S. Privacy Shield was invalidated, how to harden SCC-based transfers with supplementary measures, and the 90-day compliance actions to maintain lawful transatlantic data flows.
Executive briefing: On 16 July 2020 the Court of Justice of the European Union (CJEU) issued the Schrems II ruling in case C-311/18, invalidating the EU-U.S. Privacy Shield framework and imposing heightened due diligence on Standard Contractual Clauses (SCCs) and other transfer tools. Companies must pair legal instruments with technical and organizational controls that genuinely limit disproportionate access by foreign authorities while documenting risk-based decisions.
Decision overview
The judgment found that U.S. surveillance programs under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 lack safeguards equivalent to the EU Charter of Fundamental Rights. The Court held that the Privacy Shield Ombudsperson was neither sufficiently independent nor empowered to provide effective redress, leading to the mechanism’s invalidation. SCCs remain a viable transfer basis, but only where exporters and importers verify—on a case-by-case basis—that the destination country’s legal order and their safeguards deliver a level of protection essentially equivalent to EU law, and apply supplemental measures when gaps appear.
Supervisory authorities must suspend or prohibit transfers if an exporter or importer cannot deliver that equivalence. The ruling therefore shifts accountability to organizations: they must justify reliance on SCCs or derogations using documented assessments of foreign law, practical access risks, and the effectiveness of technical mitigations such as strong encryption.
Why Privacy Shield fell and what replaced it
The Ombudsperson’s dependence on the U.S. State Department, absence of judicial review, and inability to issue binding orders prompted the Court’s conclusion that the Shield could not satisfy Article 47 Charter guarantees. The CJEU also stressed that U.S. intelligence collection under Section 702 and EO 12333 is not limited to what is strictly necessary and proportionate, which conflicts with Articles 7 and 8 of the Charter. These deficiencies required invalidation despite the framework’s commercial importance.
The EU and U.S. later negotiated the EU-U.S. Data Privacy Framework (DPF), which became operational in July 2023 after the European Commission’s adequacy decision. While the DPF now offers a recognized transfer mechanism, Schrems II remains binding precedent: SCC use still demands granular transfer risk assessments, and the DPF itself can be challenged. Organizations should treat DPF participation as one layer in a multi-tool strategy rather than a wholesale substitute for SCC diligence.
SCC implications and transfer risk assessments
Exporters must evaluate whether SCCs alone can mitigate risks in the specific transfer context. That assessment should inventory the data categories, sensitivity, frequency, storage location, access patterns, and onward transfers. It must also consider whether local laws permit foreign authorities to compel access without robust oversight and whether importers have received relevant national security demands. If the assessment identifies material risk, the exporter and importer must deploy supplementary measures or halt the transfer.
Technical safeguards with strong effectiveness include end-to-end encryption where the importer never holds the key, client-side encryption for backups, cryptographic key management under exclusive EU control, and granular access logging tied to insider threat monitoring. Contractual addenda should obligate importers to challenge disproportionate government requests, notify exporters promptly where legally permissible, maintain up-to-date records of disclosure demands, and avoid bulk data replication outside agreed regions. Organizational measures—such as staff training, least-privilege access, documented retention rules, and data minimization—round out the SCC package and provide evidence during regulatory inquiries.
Supplementary measures and accountability documentation
Exporters should map each data flow to a lawful transfer tool and record how supplementary measures align with the European Data Protection Board’s Recommendations 01/2020 on additional safeguards. The documentation should articulate threat models, cryptographic assumptions, residual risks, and controls that limit government access to intelligible data. Where pseudonymization is used, ensure separation of identifiers and maintain key custody within the EEA so that reidentification cannot occur lawfully in the third country.
Data protection impact assessments (DPIAs) should be updated to reflect Schrems II risks and any DPF enrollment. Include evidence of importer security certifications, penetration tests, and audit reports. Regulators and courts have emphasized substance over form: claims of “bank-grade security” without demonstrable controls will not satisfy the “essentially equivalent” benchmark.
Enforcement posture and sector signals
Supervisory authorities across the EEA have enforced Schrems II aggressively, particularly where analytics or tracking tools transfer data to U.S. processors. Several DPAs have ruled that standard implementations of popular web analytics scripts violated Article 44 GDPR absent robust supplementary measures. Life sciences, financial services, and SaaS providers handling employee telemetry or customer support data remain priority sectors because of their reliance on cloud-based collaboration platforms.
Organizations should monitor European Data Protection Board taskforce outputs and national DPA decisions to align risk assessments with current enforcement thresholds. Keep records of any concluded investigations or risk acceptances by lead supervisory authorities where you operate under the GDPR’s one-stop-shop mechanism.
Compliance actions for the next 90 days
1) Map transfers and classify risk. Create or refresh an asset-based register that lists each transfer, destination, purpose, SCC module, importer role, and data sensitivity. Prioritize flows involving special categories of data, monitoring or telemetry, large-scale profiling, or onward transfers to sub-processors.
2) Run and document transfer impact assessments. For each high-priority flow, evaluate the importer’s jurisdiction using credible legal analyses and incident history. Document how encryption, tokenization, or pseudonymization reduces intelligibility to third-country authorities and whether keys remain under EU control. Capture importer attestations about government access requests and any inability to comply with SCC clauses.
3) Harden technical controls. Implement customer-managed keys where available; enforce TLS 1.2+ with forward secrecy; restrict administrative access through just-in-time elevation and hardware-backed MFA; and deploy data loss prevention tuned to the transferred data classes. Ensure backups and disaster recovery replicas follow the same protections.
4) Update contracts and notices. Refresh SCCs to the 2021 modernized modules, add processor addenda that mirror the EDPB supplementary measures guidance, and revise privacy notices to reflect transfer bases and residual risks. Require sub-processors to flow down identical obligations, including transparency around law-enforcement disclosures.
5) Prepare playbooks for government requests. Establish standard operating procedures for assessing legality, narrowing scope, and challenging disproportionate requests. Maintain lawyer-led escalation paths, pre-drafted responses, and evidence templates to demonstrate proportionality analyses to both authorities and customers.
6) Validate Data Privacy Framework posture. If enrolled, confirm the organization’s public representations match Department of Commerce listings, ensure annual re-certification calendars are tracked, and align DPF principles with internal retention and access controls. Where you rely on a vendor’s DPF certification, document their certification status and service scope.
7) Communicate with stakeholders. Provide concise customer updates summarizing the Schrems II implications, your SCC hardening steps, and any limitations. Coordinate with procurement and security teams so vendor risk reviews reflect the updated transfer landscape and avoid signing legacy pre-2021 SCCs.
Strategic roadmap
Near-term controls should be complemented by medium-term architectural moves. Consider regionalized processing that keeps identifiable data within the EEA, paired with anonymization or privacy-preserving analytics for cross-border insight sharing. Evaluate trusted execution environments to keep keys server-side while reducing operator access. Where possible, select vendors offering EU data residency options audited to ISO 27001, SOC 2 Type II, or EU Cloud Code of Conduct Level 2, and negotiate contract terms that recognize Schrems II constraints.
Revisit incident response plans to ensure they cover unlawful access allegations by foreign authorities, including how to notify DPAs within 72 hours if a transfer control fails. Train customer-facing teams to respond accurately to data sovereignty questions without overpromising immunity from lawful access.
Schrems II makes clear that transferring personal data outside the EEA is no longer a checkbox exercise. Sustained compliance requires verifiable technical safeguards, updated legal instruments, and transparent communication grounded in authoritative guidance such as the CJEU’s judgment and the EDPB’s Recommendations 01/2020 on supplementary measures. Organizations that can evidence this alignment will be best positioned to preserve global data flows while respecting EU fundamental rights.
Authoritative sources: CJEU judgment in Case C-311/18 (Schrems II); EDPB Recommendations 01/2020 on supplementary measures.
Continue in the Policy pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Semiconductor Industrial Strategy Policy Guide — Zeph Tech
Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.
-
Digital Markets Compliance Guide — Zeph Tech
Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…
-
Export Controls and Sanctions Policy Guide — Zeph Tech
Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…