Schrems II is the landmark July 2020 ruling by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework and significantly strengthened the requirements for transferring personal data to third countries under Standard Contractual Clauses (SCCs). The decision mandates that data exporters must verify, on a case-by-case basis, whether the law of the destination country provides essentially equivalent protection to the GDPR, requiring supplementary measures if gaps exist.
Glossary
Schrems II

What is Schrems II?
The 2020 Court of Justice of the European Union decision that invalidated the EU-US Privacy Shield and imposed strict supplementary measure requirements for international data transfers.
The ruling directly impacts any organization transferring EU personal data to jurisdictions with government surveillance laws deemed incompatible with EU fundamental rights, particularly the United States. It requires controllers and processors to conduct a Transfer Impact Assessment (TIA) documenting the legal analysis and technical controls—such as end-to-end encryption or pseudonymization—that prevent public authorities from accessing data in a way disproportionate to what is necessary in a democratic society.
Core Tenets of the Ruling
The landmark 2020 CJEU decision dismantled the EU-US Privacy Shield and imposed strict obligations on data exporters to verify equivalent protection in third countries.
Invalidation of Privacy Shield
The Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield Framework invalid as a transfer mechanism. The ruling determined that US surveillance laws—specifically Section 702 of FISA and Executive Order 12333—did not provide protections essentially equivalent to those guaranteed under the Charter of Fundamental Rights of the EU. This immediately eliminated the self-certification mechanism relied upon by over 5,000 companies for transatlantic data flows.
Supplementary Measures Obligation
The ruling mandates that data exporters relying on Standard Contractual Clauses (SCCs) must verify, on a case-by-case basis, whether the law of the destination country ensures adequate protection. If not, exporters must implement supplementary measures to bring the protection level up to the EU standard. These measures include:
- Technical controls: End-to-end encryption with keys held exclusively by the exporter, pseudonymization, or split processing architectures.
- Organizational controls: Contractual warranties, transparency reports, and policies for challenging government access requests.
- Contractual measures: Amended SCCs with enhanced notification obligations and data subject rights enforcement.
SCCs Survived but with Teeth
The CJEU upheld the validity of Standard Contractual Clauses as a legal transfer mechanism but imposed a continuous monitoring obligation. Exporters must now conduct a Transfer Impact Assessment (TIA) before any transfer and suspend data flows immediately if the destination jurisdiction's laws prevent compliance with the SCCs. The competent supervisory authority must be notified of such suspensions, and in some cases, data must be deleted or returned.
Supervisory Authority Enforcement
National Data Protection Authorities (DPAs) were granted explicit power to suspend or prohibit data transfers to third countries if SCCs are not or cannot be complied with. This decentralized enforcement model means a single DPA—such as the Irish DPC or Hamburg DPA—can effectively block transfers globally for a controller. The ruling eliminated any margin of discretion for DPAs; they must act when a complaint is lodged and a violation is substantiated.
Essential Equivalence Standard
The ruling crystallized the essential equivalence test: the third country must provide a level of protection substantially comparable to that within the EU, read in light of the Charter of Fundamental Rights. This is not a requirement of identical laws but of functional parity in limitations on government surveillance, independent oversight mechanisms, and effective judicial redress for data subjects. Mere contractual promises are insufficient if the legal framework of the destination country undermines them.
Impact on Cloud Architecture
Schrems II forced a fundamental re-architecture of global cloud services. Providers responded with sovereign cloud offerings, customer-controlled encryption keys held in EU-based HSMs, and confidential computing enclaves that encrypt data in use. The ruling accelerated adoption of geo-partitioned databases and residency-aware routing to ensure data processing remains within the EEA, eliminating foreign administrative access to plaintext data.
Frequently Asked Questions
Clear, technical answers to the most common questions about the landmark CJEU ruling that reshaped international data transfers and cloud architecture.
Schrems II (Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems) is a landmark July 16, 2020 ruling by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework. The court found that US surveillance laws—specifically Section 702 of FISA and Executive Order 12333—do not provide a level of protection essentially equivalent to the GDPR. The Privacy Shield failed because it prioritized US national security interests over individual privacy rights, lacking proportionality and judicial redress mechanisms for EU data subjects. The ruling simultaneously upheld the validity of Standard Contractual Clauses (SCCs) but imposed a critical new obligation: data exporters must conduct a Transfer Impact Assessment (TIA) to verify that the destination country's laws provide adequate protection in practice, not just on paper. If they do not, the exporter must implement supplementary measures—technical, contractual, or organizational—to bring protection up to the EU standard. If no supplementary measure can close the gap, the transfer must be suspended or terminated.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Essential legal instruments, assessments, and architectural patterns that operationalize the Schrems II ruling for cross-border data transfers.
Standard Contractual Clauses (SCC)
Pre-approved legal contract templates issued by the European Commission that provide adequate safeguards for data protection when transferring personal data out of the EEA. Post-Schrems II, the 2021 modernized SCCs introduced a modular approach covering controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller scenarios. Organizations must now conduct a Transfer Impact Assessment before relying solely on SCCs, and may need to implement supplementary measures such as end-to-end encryption or pseudonymization to ensure enforceable data subject rights in the destination country.
Transfer Impact Assessment (TIA)
A mandatory, documented risk assessment required under GDPR and clarified by the European Data Protection Board (EDPB) following Schrems II. Before transferring personal data to a third country, data exporters must evaluate:
- The legal framework of the destination country, specifically surveillance laws like FISA Section 702
- The practical enforceability of SCCs in that jurisdiction
- Whether supplementary technical measures can neutralize identified risks If the assessment concludes that equivalent protection cannot be guaranteed, the transfer must be suspended or the competent supervisory authority notified.
Supplementary Measures
Technical, contractual, and organizational controls layered on top of SCCs to compensate for gaps in a third country's legal regime. The EDPB's Recommendations 01/2020 categorize measures by effectiveness:
- Technical measures: End-to-end encryption with keys held exclusively by the exporter, pseudonymization, split processing, and confidential computing enclaves
- Contractual measures: Enhanced audit rights, transparency obligations on government access requests, and mandatory notification of legal changes
- Organizational measures: Internal policies with disciplinary sanctions, regular transparency reports, and documented warrant canary processes Without effective supplementary measures, SCCs alone are insufficient for transfers to jurisdictions with disproportionate surveillance laws.
Adequacy Decision
A formal declaration by the European Commission under Article 45 of GDPR that a non-EU country provides a level of data protection essentially equivalent to that within the EEA. Adequacy decisions eliminate the need for SCCs or BCRs for transfers to that country. Post-Schrems II, the EU-US Data Privacy Framework (adopted July 2023) represents the third attempt at an adequacy decision for the United States, introducing a new Data Protection Review Court and binding safeguards limiting US signals intelligence access to what is necessary and proportionate. Adequacy decisions are subject to periodic review and can be challenged before the CJEU.
Binding Corporate Rules (BCR)
Legally binding internal data protection policies for multinational corporate groups governing intra-organizational transfers to countries without an adequacy decision. Unlike SCCs, BCRs require approval from a lead supervisory authority through the consistency mechanism and must demonstrate enforceable rights for data subjects across the entire corporate group. Post-Schrems II, approved BCRs must also be supplemented by a TIA and, where necessary, technical measures. BCRs are particularly suited for organizations with complex, frequent intra-group data flows where individual SCC execution would be operationally impractical.
European Data Protection Board (EDPB)
The independent EU body composed of representatives from each member state's supervisory authority and the European Data Protection Supervisor. The EDPB issues binding decisions and authoritative guidance on GDPR interpretation, including the Recommendations 01/2020 that operationalize Schrems II. Key EDPB outputs include:
- The six-step roadmap for assessing third country transfers
- Use case examples of effective supplementary measures
- The European Essential Guarantees for surveillance law analysis Organizations rely on EDPB guidance to structure defensible transfer mechanisms and demonstrate accountability to supervisory authorities.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us