← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — Schrems II invalidates EU–US Privacy Shield

The CJEU’s Schrems II ruling on 16 July 2020 struck down the EU–US Privacy Shield and tightened scrutiny on Standard Contractual Clauses, forcing companies to add transfer assessments and supplementary safeguards for cross-border data flows.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

The Court of Justice of the European Union (CJEU) issued the Schrems II judgment on 16 July 2020, invalidating the EU–US Privacy Shield adequacy framework and affirming Standard Contractual Clauses (SCCs) with stricter obligations. The ruling was immediate, forcing organisations that relied on Privacy Shield to pivot to SCCs or alternative transfer mechanisms while documenting surveillance risks and supplementary safeguards. Schrems II also empowered supervisory authorities to suspend transfers that cannot achieve an essentially equivalent level of protection.

What changed

  • Privacy Shield invalidated: Transfers based on Privacy Shield lost their legal basis overnight, requiring migration to SCCs, Binding Corporate Rules (BCRs), or derogations.
  • SCCs affirmed with conditions: SCCs remain valid only if exporters and importers verify destination law and add technical safeguards when public authority access risks are identified.
  • Supervisory oversight: Data Protection Authorities (DPAs) must suspend or prohibit transfers when adequate protection cannot be ensured, raising the bar for transfer due diligence and documentation.
  • Supplementary measures: The CJEU signaled that encryption, pseudonymisation, and contractual safeguards are required when destination surveillance powers exceed EU proportionality expectations.

Why it matters for data strategy teams

  • Data transfer inventories must be re-mapped to new legal bases, and SCCs must be paired with transfer impact assessments (TIAs) that evaluate local surveillance laws and vendor technical controls.
  • Vendors and intra-group processors require updated contractual addenda clarifying encryption, key management, and government-access handling, especially for cloud infrastructure, support logs, and telemetry pipelines.
  • Incident response and compliance reporting must account for scenarios where transfers are halted or rerouted to EU data centres, affecting SLAs and disaster recovery plans.
  • Product roadmaps that depend on US-hosted analytics or support tooling need contingency plans and possibly EU-only deployments to maintain continuity.

Immediate operational steps

  • Identify all data flows that relied on Privacy Shield certifications and prioritise those involving customer data, telemetry, and support escalations.
  • Execute SCCs or BCRs with US vendors and affiliates; ensure modules cover processor and sub-processor chains and include audit and notification rights.
  • Initiate TIAs for each SCC-covered transfer, documenting surveillance law analysis (e.g., FISA 702, EO 12333) and the technical safeguards applied.
  • Enable or strengthen encryption in transit and at rest with customer-managed keys where possible; separate key custody from data processing locations.
  • Update vendor risk registers and customer-facing documentation to reflect the new transfer mechanism and supplementary safeguards.

Supplementary safeguards to implement

  • Encryption and key control: Enforce TLS 1.2+ with forward secrecy; encrypt data at rest with keys stored in EU-based KMS where feasible. Consider application-layer encryption for sensitive identifiers.
  • Pseudonymisation: Reduce identifiability before transfer by tokenising direct identifiers and limiting attribute sets sent to non-EU regions.
  • Access controls: Tighten role-based access to exported datasets, require just-in-time elevation for support tasks, and log administrative actions with retention aligned to DPIA outcomes.
  • Data minimisation: Limit logging verbosity and disable debug payloads that include personal data when shipping telemetry to US endpoints.
  • Contractual assurances: Document challenges to law-enforcement requests, transparency commitments, and customer notification pathways in data processing agreements.

Governance and documentation

  • Maintain a central register of SCCs, TIAs, and supplementary measures mapped to systems and vendors. Include expiry/renewal dates and ownership.
  • Update Records of Processing Activities (RoPA) to capture the new transfer bases and any routing changes to EU data centres.
  • Revise Data Protection Impact Assessments (DPIAs) for products that rely on cross-border support or analytics; document residual risks and mitigations.
  • Coordinate with legal and customer success teams to publish FAQs and assurances for enterprise customers requesting evidence of Schrems II compliance.

Product and engineering impact

  • Analytics and observability stacks that forward data to US regions (e.g., APM traces, crash reports) may need EU endpoints or local collectors to avoid contested transfers.
  • Customer support workflows using US ticketing or chat platforms should enable EU data residency options or minimise personal data in case attachments.
  • Data science teams should reassess data export jobs that move training datasets to US environments; consider federated learning or EU-hosted compute when feasible.
  • CDN and DDoS services relying on global caching should review where TLS termination occurs and whether logs include identifiers that constitute personal data.

Timeline considerations

  • Schrems II took effect immediately; DPAs signaled heightened scrutiny through 2020 and 2021. Early enforcement actions targeted organisations that failed to document TIAs or implement encryption safeguards.
  • The European Data Protection Board (EDPB) published draft guidance on supplementary measures in November 2020, with a finalised version in 2021; teams should align implementations with that guidance.
  • New SCCs were released in June 2021, but Schrems II obligations remained; adopting the 2021 SCC modules is recommended for future-proofing.

Testing and validation

  • Run tabletop exercises simulating a DPA inquiry into cross-border transfers. Validate that TIAs, contract annexes, and encryption evidence are accessible within 24 hours.
  • Perform data-flow tracing for high-risk systems to confirm that personal data paths match documented safeguards and that redaction/pseudonymisation is effective.
  • Audit vendor configurations (e.g., logging, backup, support access) to confirm that supplementary controls are enabled and monitored.
  • Integrate TIA checkpoints into change management for new vendors, new regions, or feature flags that alter data routing.

Customer and regulator communications

  • Publish a customer advisory that explains the migration off Privacy Shield, the SCCs executed, and supplementary measures applied.
  • Prepare standard responses for security questionnaires that request Schrems II evidence, including encryption diagrams, key custody descriptions, and escalation playbooks.
  • Document regulator engagement plans in case a DPA requests details on specific transfers or supplementary measures.

What to monitor

  • EDPB and national DPA guidance on acceptable supplementary measures and expectations for TIAs, including sector-specific recommendations.
  • Updates to US surveillance laws or executive actions that may affect risk assessments (e.g., reforms to FISA 702) and the progress of EU–US adequacy negotiations that later produced the Data Privacy Framework.
  • Vendor roadmaps for EU data residency features, customer-managed keys, and SOC2/ISO attestations that evidence control effectiveness.
  • Litigation or enforcement trends where DPAs have ordered suspension of transfers or rejected SCC implementations; use those cases to refine internal controls.

Key takeaways for leads

  • Schrems II requires demonstrable technical and contractual safeguards alongside SCCs; unsupported claims of encryption or data minimisation are insufficient.
  • Product and platform teams must own TIAs for their vendors and services, with central governance ensuring consistency and timely renewals.
  • Investing in EU-hosted analytics, support tooling, and key management reduces reliance on supplementary measures and lowers regulatory risk.
  • Maintain proactive communications with customers and regulators to show progress and reduce friction in enterprise sales cycles.
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cross-Border Transfers
  • EU
  • United States
  • Standard Contractual Clauses
  • Privacy
Back to curated briefings