Schrems II

Security & Compliance intermediate

Schrems II is the 2020 ruling of the EU Court of Justice that invalidated the EU–US Privacy Shield and tightened the conditions for transferring personal data outside the EU.

Summary

Schrems II is the 2020 judgment of the Court of Justice of the European Union (case C-311/18). It invalidated the EU–US Privacy Shield framework and substantially tightened the conditions under which personal data may be transferred outside the EU.

What is Schrems II?

The case, brought by Austrian lawyer Max Schrems, examined whether US legal frameworks gave EU citizens enough protection against US government surveillance once their data crossed the Atlantic. The court ruled they did not, struck down the Privacy Shield, and held that controllers relying on Standard Contractual Clauses (SCCs) must perform a Transfer Impact Assessment for every third-country transfer and add supplementary technical or organisational measures if the destination country falls short of EU standards.

In practice, Schrems II forced every EU organisation to look at their cloud and SaaS suppliers more carefully. Where is the data processed? Where do administrators sit? Does the provider have a parent company subject to extraterritorial laws like the US CLOUD Act? Many organisations responded by adding encryption with EU-held keys, by switching to EU-based providers, or by moving workloads to self-hosted, on-premises, or sovereign-cloud deployments.

The 2023 EU–US Data Privacy Framework partially restored a legal basis for transfers, but the underlying Schrems II reasoning still shapes vendor selection. Decisions about identity providers, mesh VPN management planes, and SIEM data residency are typically made with Schrems II in mind.

Why is Schrems II relevant?

  • Vendor due diligence: Forces explicit assessment of cross-border data flows
  • Driver of sovereignty: Strong argument for EU-based and self-hosted alternatives
  • Audit topic: Regulators and auditors expect documented Transfer Impact Assessments
  • Architectural impact: Often determines where control planes and key material are placed
  • GDPR: The data-protection regulation Schrems II interprets
  • CLOUD Act: US law cited as the core risk factor in Schrems II analyses
  • NIS2 Directive: Newer EU regulation that intersects with Schrems II in supply-chain reviews
  • DORA: Financial-sector regulation that also drives sovereignty considerations

Similar Solutions

For Regulated Industries

<b>Regulated industries don’t fail audits because they lack policies. They fail because compliance requires skills, not certificates.</b> We works with organizations that operate under continuous regulatory pressure, including NIS2, ISO 27001, and sector-specific requirements. We’ve supported teams across multiple audits, security reviews, and compliance programs, always focusing on operational reality instead of theory.

Discover more

NIS2 & ISO 27001 preparations

Compliance requires skills, not certificates. Our trainings can help you achieve exactly that. So you’re never "chicken" again when audits, incidents, or regulators come knocking.

Discover more

Related Terms

GDPR (General Data Protection Regulation)

GDPR is the EU regulation governing the collection, processing, and storage of personal data of EU residents.

Discover more

CLOUD Act

The US CLOUD Act lets US authorities compel American technology companies to hand over data they hold, regardless of where in the world the data is physically stored.

Discover more

NIS2 Directive

The NIS2 Directive is an EU regulation setting minimum cybersecurity standards for critical and important sectors, significantly expanding scope beyond its predecessor.

Discover more

DORA (Digital Operational Resilience Act)

DORA is an EU regulation requiring financial sector organizations to ensure resilience of their ICT systems against disruptions and cyberattacks.

Discover more

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us