Schrems II is the landmark July 2020 judgment from the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework while upholding the validity of Standard Contractual Clauses (SCCs) with stringent new conditions. The ruling fundamentally altered the legal mechanism for transferring personal data from the EU to third countries, particularly the United States, by requiring a case-by-case assessment of whether the destination country provides an essentially equivalent level of data protection to that guaranteed within the EU under the General Data Protection Regulation.
Glossary
Schrems II

What is Schrems II?
A definitive 2020 ruling by the Court of Justice of the European Union that reshaped the legal landscape for international data transfers.
The decision mandates that data exporters relying on SCCs must verify, prior to any transfer, that the law of the recipient country ensures effective protection. If the foreign government's surveillance laws—specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) in the US—are deemed disproportionate and lack judicial redress for EU citizens, the exporter is obligated to implement supplementary technical measures, such as end-to-end encryption or pseudonymization with keys held exclusively outside the recipient's jurisdiction, to block access. Failure to provide these guarantees requires the suspension of the data transfer entirely, directly impacting the operational architecture of sovereign cloud and data residency strategies.
Core Components of the Ruling
The 2020 CJEU decision dismantled the EU-US Privacy Shield and imposed rigorous new obligations on data exporters relying on Standard Contractual Clauses. These are the foundational legal and technical pillars every CTO and Compliance Officer must understand.
Invalidation of Privacy Shield
The Court of Justice of the European Union (CJEU) ruled that the EU-US Privacy Shield framework failed to provide adequate protection for EU personal data. The core defect was that US surveillance laws (FISA Section 702, EO 12333) permitted disproportionate access by public authorities, violating the essence of the fundamental rights to privacy and judicial redress guaranteed under the EU Charter of Fundamental Rights. This immediately removed the primary legal mechanism for over 5,000 companies.
SCCs Survive with Conditions
The Standard Contractual Clauses (SCCs) were upheld as a valid transfer mechanism, but with a critical caveat. The ruling established that SCCs are no longer a simple 'check-the-box' exercise. Data exporters and importers must conduct a Transfer Impact Assessment (TIA) to verify, on a case-by-case basis, whether the law of the destination country provides a level of protection essentially equivalent to EU law. If not, the parties are obligated to implement supplementary measures to bridge the gap.
The Transfer Impact Assessment (TIA)
A mandatory, documented analysis that must be completed before any data transfer relying on SCCs. The TIA process requires:
- Mapping the Transfer: Identify the specific data, importer, and processing activities.
- Assessing Local Law: Analyze the destination country's surveillance and access laws for proportionality and necessity.
- Gap Analysis: Compare the foreign legal framework against the EU essential equivalence standard.
- Implementing Controls: Apply technical, contractual, and organizational measures to close any identified gaps. The assessment must be continuously re-evaluated.
Suspension Obligation
The ruling imposes a positive obligation to suspend or terminate the data transfer if the agreed supplementary measures cannot be effectively implemented. If the importer becomes subject to a legally binding request for access from a public authority that conflicts with the SCCs, they must notify the exporter immediately. The exporter is then required to halt the flow of data and potentially terminate the contract. This creates a dynamic, ongoing compliance duty rather than a static agreement.
European Essential Guarantees
The CJEU reaffirmed the four European Essential Guarantees derived from Articles 7 and 8 of the Charter, which must be present in any third-country surveillance regime for data transfers to be lawful:
- Legal Basis: Processing must be based on clear, precise, and accessible rules.
- Necessity & Proportionality: Surveillance must be strictly necessary to safeguard legitimate objectives.
- Independent Oversight: An independent mechanism must supervise the surveillance.
- Effective Remedies: Individuals must have access to effective judicial redress against abuse.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the landmark 2020 CJEU ruling that reshaped global data transfer law.
The Schrems II ruling is a landmark July 2020 decision by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework and imposed stringent conditions on the use of Standard Contractual Clauses (SCCs) for transferring personal data outside the European Economic Area. The ruling matters because it fundamentally altered the legal basis for transatlantic data flows, affecting over 5,000 companies that relied on Privacy Shield. The court determined that US surveillance laws, specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, did not provide EU citizens with essentially equivalent protections to those guaranteed under the GDPR. This created immediate legal uncertainty for any organization transferring personal data from the EU to the United States, requiring them to conduct a Transfer Impact Assessment (TIA) to verify that the recipient country's legal framework provides adequate protection before relying on SCCs.
Related Terms
Key legal and technical frameworks that define the post-Schrems II landscape for transatlantic data transfers and sovereign cloud architectures.
Standard Contractual Clauses (SCCs)
The primary legal mechanism that replaced Privacy Shield after Schrems II. SCCs are pre-approved contractual terms issued by the European Commission that create binding obligations on data importers and exporters. Key requirements post-Schrems II:
- Must conduct a Transfer Impact Assessment (TIA) before relying on SCCs
- Must implement supplementary measures (encryption, pseudonymization) when local laws conflict with EU standards
- Cannot be used as a rubber stamp—requires case-by-case analysis of the destination country's surveillance laws
Transfer Impact Assessment (TIA)
A mandatory documented analysis required before any data transfer to a third country under SCCs. The TIA evaluates whether the destination country's laws and practices provide essentially equivalent protection to EU law. Assessment components:
- Analysis of local surveillance laws (e.g., FISA 702 in the US)
- Evaluation of data subject rights and redress mechanisms
- Identification of supplementary technical measures (end-to-end encryption, client-side key management) to compensate for legal gaps
- Ongoing monitoring obligation if laws change
EU-US Data Privacy Framework (DPF)
The successor to Privacy Shield, adopted in July 2023, designed to address the deficiencies identified in Schrems II. Key improvements:
- Limits US intelligence access to what is necessary and proportionate
- Establishes a Data Protection Review Court for EU citizens to seek redress
- Requires annual certification and compliance reviews
- However, legal challenges are anticipated from privacy advocates who argue the framework still fails the Schrems II test of essential equivalence
Supplementary Measures
Technical, contractual, and organizational safeguards layered on top of SCCs to compensate for gaps in third-country legal protections. Schrems II explicitly requires these when the destination country's laws do not meet EU standards. Technical measures include:
- End-to-end encryption with keys held exclusively by the data exporter
- Pseudonymization that prevents re-identification by the importer
- Split processing across multiple jurisdictions so no single authority can access complete data
- Confidential computing to protect data in use from the infrastructure provider
European Data Protection Board (EDPB) Guidance
The EDPB issued definitive recommendations in June 2021 on implementing Schrems II. The guidance provides a six-step roadmap for assessing third-country transfers:
- Map all data transfers
- Verify the transfer tool (SCCs, BCRs, etc.)
- Assess the destination country's legal framework
- Identify and adopt supplementary measures
- Implement formal procedural steps
- Re-evaluate at appropriate intervals This guidance effectively operationalizes the CJEU ruling into actionable compliance steps.
FISA Section 702
The US Foreign Intelligence Surveillance Act provision that was central to the Schrems II ruling. The CJEU found that Section 702 surveillance programs (PRISM and UPSTREAM) do not meet EU proportionality standards because they allow bulk collection of communications data without individualized suspicion. Impact on data transfers:
- Any US-based cloud provider subject to FISA 702 is considered to operate under laws incompatible with EU fundamental rights
- This creates a structural legal risk for any EU-to-US data flow unless robust technical safeguards (encryption with EU-held keys) are in place

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us