← Back to all briefings
Policy 5 min read Published Updated Credibility 94/100

Schrems II voids Privacy Shield and tightens SCC due diligence

The CJEU’s Schrems II judgment invalidated the EU–U.S. Privacy Shield and reaffirmed Standard Contractual Clauses while requiring exporters to assess destination surveillance regimes and apply supplementary safeguards before transfers.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Policy pillar illustration for Zeph Tech briefings
Policy, regulatory, and mandate timeline briefings

Landmark Privacy Shield Invalidation

The European Court of Justice invalidated the EU-US Privacy Shield framework on 16 July 2020 in the Schrems II judgment, determining that US surveillance authorities lacked adequate safeguards and redress mechanisms required under EU fundamental rights law. The decision immediately affected thousands of organizations that relied on Privacy Shield certification for lawful personal data transfers from the EU to the United States.

The Court found that US national security laws, particularly Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, enabled surveillance access to European personal data without providing essentially equivalent protection to GDPR standards. This ruling fundamentally disrupted transatlantic data flows and forced organizations to reevaluate their data transfer mechanisms.

Standard Contractual Clauses Validation with Conditions

While invalidating Privacy Shield, the Court upheld the validity of Standard Contractual Clauses (SCCs) as a mechanism for international data transfers, subject to important conditions. Data exporters must verify on a case-by-case basis whether destination country law provides adequate protection for transferred data, conducting transfer impact assessments that evaluate recipient country surveillance authorities, data subject rights, and legal remedies.

Where assessment reveals inadequate protection, exporters must implement supplementary measures—technical, organizational, or contractual—that address identified gaps. This case-by-case assessment requirement created significant compliance burden for organizations using SCCs for US transfers.

Transfer Impact Assessment Requirements

Post-Schrems II guidance from the European Data Protection Board clarified that transfer impact assessments (TIAs) must evaluate specific factors in destination countries. Relevant considerations include published surveillance laws and oversight mechanisms, access request statistics from intelligence agencies, legal challenges and redress outcomes, and enforcement practice patterns.

For US transfers specifically, assessments must address Section 702, Executive Order 12333, FISA Court oversight limitations, and the adequacy of available redress mechanisms. The assessment process requires legal expertise regarding destination country law combined with technical understanding of data flows and protection mechanisms.

Supplementary Measures Framework

Where TIAs identify inadequate protections, organizations must implement supplementary measures that effectively address gaps. Technical measures providing strongest protection include strong encryption where keys remain exclusively with the data exporter and pseudonymization that prevents re-identification by recipients without separate key information.

Organizational measures encompass internal policies, access controls, and governance procedures that limit exposure. Contractual measures extend SCC obligations but cannot override conflicting local law. The EDPB emphasized that supplementary measures must effectively prevent access by problematic authorities rather than merely creating procedural obstacles, limiting effectiveness of purely contractual or organizational approaches.

Immediate Business Impact and Response

The judgment created immediate compliance challenges for organizations across industries. Companies relying primarily on Privacy Shield faced urgent needs to transition to alternative mechanisms. Those using SCCs confronted new assessment and documentation obligations.

Cloud services, SaaS applications, and multinational data processing arrangements all required evaluation against Schrems II requirements. Data protection authorities signaled improved scrutiny of international transfers, with Irish and other authorities initiating investigations against major technology platforms. Organizations responded with varying approaches ranging from improved technical protections to data localization strategies that minimize international transfers.

Regulatory Guidance Development

Following the judgment, European Data Protection Board issued recommendations on transfer tools and supplementary measures, providing detailed guidance on TIA methodology and supplementary measure effectiveness. Individual supervisory authorities published additional guidance reflecting national enforcement priorities.

The guidance clarified that no supplementary measures can address legal deficiencies in destination countries where law requires access to data in readable form—a significant concern for cloud services and applications processing data in US facilities. If you are affected, continuously monitor evolving guidance as enforcement experience and legal developments inform regulatory expectations.

Path to Resolution

The Schrems II invalidation triggered diplomatic negotiations between the EU and US to develop improved safeguards addressing Court concerns. These negotiations ultimately produced Executive Order 14086 and the EU-US Data Privacy Framework, which the European Commission approved through an adequacy decision in July 2023. However, legal challenges to the new framework are anticipated, and you should maintain contingency plans recognizing that adequacy arrangements remain subject to potential future invalidation. Robust data transfer governance frameworks should accommodate multiple transfer mechanism options and adapt to evolving legal requirements.

References

Implementation Considerations for Organizations

Data mapping and inventory. Organizations must comprehensively map personal data flows to identify all international transfers subject to Schrems II requirements. This includes direct transfers to third-country processors, indirect flows through cloud service providers, and intra-group transfers within multinational organizations. Data inventories should document legal bases for transfers, recipient jurisdictions, and applicable transfer mechanisms.

Vendor management implications. Organizations using US-based cloud services, SaaS applications, or processors must engage vendors regarding their Schrems II compliance approaches. Vendor assessments should evaluate supplementary measures implemented, data processing locations, and contractual commitments regarding government access requests. Due diligence questionnaires should incorporate TIA-relevant inquiries regarding vendor practices and legal exposure in problematic jurisdictions.

Ongoing monitoring obligations. Schrems II compliance requires continuous rather than point-in-time assessment. If you are affected, monitor legal developments in destination countries, update TIAs when circumstances change, and reassess supplementary measure effectiveness as technical capabilities evolve. Governance frameworks should establish review cycles and trigger events requiring assessment updates.

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • AI Policy Implementation Guide

    Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

  • Digital Markets Compliance Guide

    Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

  • Semiconductor Industrial Strategy Policy Guide

    Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published
Coverage pillar
Policy
Source credibility
94/100 — high confidence
Topics
Cross-border transfers · Standard Contractual Clauses · Privacy Shield · Data protection
Sources cited
4 sources (eur-lex.europa.eu, curia.europa.eu, edpb.europa.eu, ec.europa.eu)
Reading time
5 min

References

  1. Judgment of the Court (Grand Chamber) of 16 July 2020 — Case C-311/18 — Court of Justice of the European Union
  2. CJEU Press Release No. 91/20 — Data Protection Commissioner v Facebook Ireland and Schrems — Court of Justice of the European Union
  3. EDPB FAQs on the judgment of the Court of Justice of the European Union in Case C-311/18 — European Data Protection Board
  4. Q&A: EU–U.S. Data Transfers following the Schrems II judgment — European Commission
  • Cross-border transfers
  • Standard Contractual Clauses
  • Privacy Shield
  • Data protection
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.