Schrems II

Schrems II (CJEU Case C-311/18, July 2020) invalidated the EU-US Privacy Shield and fundamentally changed how EU personal data can flow to the United States.

What is Schrems II?

Schrems II is the July 2020 ruling from the Court of Justice of the European Union in Case C-311/18 (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems). The court invalidated the EU-US Privacy Shield framework as a basis for transferring EU personal data to the United States, finding that U.S. surveillance laws (FISA Section 702, Executive Order 12333) provided EU data subjects insufficient legal recourse.

The ruling did not invalidate Standard Contractual Clauses (SCCs) but required organizations using SCCs to perform a Transfer Impact Assessment (TIA) and implement supplementary technical or organizational measures where the destination jurisdiction's surveillance laws fall short of EU adequacy.

The EU-US Data Privacy Framework

In July 2023 the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework, the successor to Privacy Shield. EU data can flow to certified U.S. companies under the new framework without SCCs or TIAs. The DPF is itself under legal challenge ("Schrems III" is pending) so prudent organizations maintain SCCs as a fallback transfer mechanism.

Schrems II for AI procurement

If an AI vendor processes EU personal data and routes through U.S.-based upstream model APIs, the EU controller must verify either: the vendor (and each upstream sub-processor) is certified under the DPF, or SCCs are in place with a documented TIA. Most enterprise AI procurement reviews now ask both the vendor and their sub-processors directly. The TIA is a real document, not a checkbox.