Inferensys

Glossary

Schrems II

A landmark 2020 Court of Justice of the European Union ruling that invalidated the EU-US Privacy Shield framework, requiring supplementary measures for data transfers to ensure equivalent protection.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
LANDMARK EU DATA TRANSFER RULING

What is Schrems II?

The 2020 Court of Justice of the European Union decision that invalidated the EU-US Privacy Shield and imposed strict supplementary measure requirements for international data transfers.

Schrems II is the landmark July 2020 ruling by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework and significantly strengthened the requirements for transferring personal data to third countries under Standard Contractual Clauses (SCCs). The decision mandates that data exporters must verify, on a case-by-case basis, whether the law of the destination country provides essentially equivalent protection to the GDPR, requiring supplementary measures if gaps exist.

The ruling directly impacts any organization transferring EU personal data to jurisdictions with government surveillance laws deemed incompatible with EU fundamental rights, particularly the United States. It requires controllers and processors to conduct a Transfer Impact Assessment (TIA) documenting the legal analysis and technical controls—such as end-to-end encryption or pseudonymization—that prevent public authorities from accessing data in a way disproportionate to what is necessary in a democratic society.

THE SCHREMS II FRAMEWORK

Core Tenets of the Ruling

The landmark 2020 CJEU decision dismantled the EU-US Privacy Shield and imposed strict obligations on data exporters to verify equivalent protection in third countries.

01

Invalidation of Privacy Shield

The Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield Framework invalid as a transfer mechanism. The ruling determined that US surveillance laws—specifically Section 702 of FISA and Executive Order 12333—did not provide protections essentially equivalent to those guaranteed under the Charter of Fundamental Rights of the EU. This immediately eliminated the self-certification mechanism relied upon by over 5,000 companies for transatlantic data flows.

02

Supplementary Measures Obligation

The ruling mandates that data exporters relying on Standard Contractual Clauses (SCCs) must verify, on a case-by-case basis, whether the law of the destination country ensures adequate protection. If not, exporters must implement supplementary measures to bring the protection level up to the EU standard. These measures include:

  • Technical controls: End-to-end encryption with keys held exclusively by the exporter, pseudonymization, or split processing architectures.
  • Organizational controls: Contractual warranties, transparency reports, and policies for challenging government access requests.
  • Contractual measures: Amended SCCs with enhanced notification obligations and data subject rights enforcement.
03

SCCs Survived but with Teeth

The CJEU upheld the validity of Standard Contractual Clauses as a legal transfer mechanism but imposed a continuous monitoring obligation. Exporters must now conduct a Transfer Impact Assessment (TIA) before any transfer and suspend data flows immediately if the destination jurisdiction's laws prevent compliance with the SCCs. The competent supervisory authority must be notified of such suspensions, and in some cases, data must be deleted or returned.

04

Supervisory Authority Enforcement

National Data Protection Authorities (DPAs) were granted explicit power to suspend or prohibit data transfers to third countries if SCCs are not or cannot be complied with. This decentralized enforcement model means a single DPA—such as the Irish DPC or Hamburg DPA—can effectively block transfers globally for a controller. The ruling eliminated any margin of discretion for DPAs; they must act when a complaint is lodged and a violation is substantiated.

05

Essential Equivalence Standard

The ruling crystallized the essential equivalence test: the third country must provide a level of protection substantially comparable to that within the EU, read in light of the Charter of Fundamental Rights. This is not a requirement of identical laws but of functional parity in limitations on government surveillance, independent oversight mechanisms, and effective judicial redress for data subjects. Mere contractual promises are insufficient if the legal framework of the destination country undermines them.

06

Impact on Cloud Architecture

Schrems II forced a fundamental re-architecture of global cloud services. Providers responded with sovereign cloud offerings, customer-controlled encryption keys held in EU-based HSMs, and confidential computing enclaves that encrypt data in use. The ruling accelerated adoption of geo-partitioned databases and residency-aware routing to ensure data processing remains within the EEA, eliminating foreign administrative access to plaintext data.

SCHREMS II EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the landmark CJEU ruling that reshaped international data transfers and cloud architecture.

Schrems II (Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems) is a landmark July 16, 2020 ruling by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework. The court found that US surveillance laws—specifically Section 702 of FISA and Executive Order 12333—do not provide a level of protection essentially equivalent to the GDPR. The Privacy Shield failed because it prioritized US national security interests over individual privacy rights, lacking proportionality and judicial redress mechanisms for EU data subjects. The ruling simultaneously upheld the validity of Standard Contractual Clauses (SCCs) but imposed a critical new obligation: data exporters must conduct a Transfer Impact Assessment (TIA) to verify that the destination country's laws provide adequate protection in practice, not just on paper. If they do not, the exporter must implement supplementary measures—technical, contractual, or organizational—to bring protection up to the EU standard. If no supplementary measure can close the gap, the transfer must be suspended or terminated.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.