Inferensys

Glossary

Schrems II

A landmark 2020 Court of Justice of the European Union ruling that invalidated the EU-US Privacy Shield framework, significantly impacting the legal basis for transatlantic data transfers.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
EU DATA PROTECTION LANDMARK

What is Schrems II?

A definitive 2020 ruling by the Court of Justice of the European Union that reshaped the legal landscape for international data transfers.

Schrems II is the landmark July 2020 judgment from the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework while upholding the validity of Standard Contractual Clauses (SCCs) with stringent new conditions. The ruling fundamentally altered the legal mechanism for transferring personal data from the EU to third countries, particularly the United States, by requiring a case-by-case assessment of whether the destination country provides an essentially equivalent level of data protection to that guaranteed within the EU under the General Data Protection Regulation.

The decision mandates that data exporters relying on SCCs must verify, prior to any transfer, that the law of the recipient country ensures effective protection. If the foreign government's surveillance laws—specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) in the US—are deemed disproportionate and lack judicial redress for EU citizens, the exporter is obligated to implement supplementary technical measures, such as end-to-end encryption or pseudonymization with keys held exclusively outside the recipient's jurisdiction, to block access. Failure to provide these guarantees requires the suspension of the data transfer entirely, directly impacting the operational architecture of sovereign cloud and data residency strategies.

SCHREMS II ANATOMY

Core Components of the Ruling

The 2020 CJEU decision dismantled the EU-US Privacy Shield and imposed rigorous new obligations on data exporters relying on Standard Contractual Clauses. These are the foundational legal and technical pillars every CTO and Compliance Officer must understand.

01

Invalidation of Privacy Shield

The Court of Justice of the European Union (CJEU) ruled that the EU-US Privacy Shield framework failed to provide adequate protection for EU personal data. The core defect was that US surveillance laws (FISA Section 702, EO 12333) permitted disproportionate access by public authorities, violating the essence of the fundamental rights to privacy and judicial redress guaranteed under the EU Charter of Fundamental Rights. This immediately removed the primary legal mechanism for over 5,000 companies.

July 2020
Ruling Date
5,300+
Companies Affected
02

SCCs Survive with Conditions

The Standard Contractual Clauses (SCCs) were upheld as a valid transfer mechanism, but with a critical caveat. The ruling established that SCCs are no longer a simple 'check-the-box' exercise. Data exporters and importers must conduct a Transfer Impact Assessment (TIA) to verify, on a case-by-case basis, whether the law of the destination country provides a level of protection essentially equivalent to EU law. If not, the parties are obligated to implement supplementary measures to bridge the gap.

2021
New SCCs Adopted
04

The Transfer Impact Assessment (TIA)

A mandatory, documented analysis that must be completed before any data transfer relying on SCCs. The TIA process requires:

  1. Mapping the Transfer: Identify the specific data, importer, and processing activities.
  2. Assessing Local Law: Analyze the destination country's surveillance and access laws for proportionality and necessity.
  3. Gap Analysis: Compare the foreign legal framework against the EU essential equivalence standard.
  4. Implementing Controls: Apply technical, contractual, and organizational measures to close any identified gaps. The assessment must be continuously re-evaluated.
6 Steps
EDPB Methodology
05

Suspension Obligation

The ruling imposes a positive obligation to suspend or terminate the data transfer if the agreed supplementary measures cannot be effectively implemented. If the importer becomes subject to a legally binding request for access from a public authority that conflicts with the SCCs, they must notify the exporter immediately. The exporter is then required to halt the flow of data and potentially terminate the contract. This creates a dynamic, ongoing compliance duty rather than a static agreement.

Art. 28
GDPR Obligation
06

European Essential Guarantees

The CJEU reaffirmed the four European Essential Guarantees derived from Articles 7 and 8 of the Charter, which must be present in any third-country surveillance regime for data transfers to be lawful:

  • Legal Basis: Processing must be based on clear, precise, and accessible rules.
  • Necessity & Proportionality: Surveillance must be strictly necessary to safeguard legitimate objectives.
  • Independent Oversight: An independent mechanism must supervise the surveillance.
  • Effective Remedies: Individuals must have access to effective judicial redress against abuse.
SCHREMS II EXPLAINED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the landmark 2020 CJEU ruling that reshaped global data transfer law.

The Schrems II ruling is a landmark July 2020 decision by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework and imposed stringent conditions on the use of Standard Contractual Clauses (SCCs) for transferring personal data outside the European Economic Area. The ruling matters because it fundamentally altered the legal basis for transatlantic data flows, affecting over 5,000 companies that relied on Privacy Shield. The court determined that US surveillance laws, specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, did not provide EU citizens with essentially equivalent protections to those guaranteed under the GDPR. This created immediate legal uncertainty for any organization transferring personal data from the EU to the United States, requiring them to conduct a Transfer Impact Assessment (TIA) to verify that the recipient country's legal framework provides adequate protection before relying on SCCs.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.