Schrems II is still the leading EU case on international transfers of personal data. The judgment invalidated the EU–US Privacy Shield in 2020 and made clear that organisations cannot rely on transfer paperwork alone. If personal data is transferred outside the EU/EEA, the exporter must assess whether the transfer mechanism works in practice.

Since Schrems II, the legal landscape has moved on. The European Commission has adopted new Standard Contractual Clauses, organisations have become used to Transfer Impact Assessments, and the EU–US Data Privacy Framework now provides an adequacy route for transfers to certified US organisations.

But the operational lesson from Schrems II remains the same: international data transfers must be understood, documented and controlled, not simply approved in a contract.

For many businesses, the practical challenge is no longer whether international transfers exist. They almost always do. The real question is whether the organisation knows where they occur, which transfer mechanism applies, what residual risks remain, and which technical and contractual safeguards reduce those risks to an acceptable level.

Reading time: 14 minutes
Updated: June, 2026

Summary of Schrems II

On 16 July 2020, the Court of Justice of the European Union (ECJ) in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (called “Schrems II case”) invalidated the EU-US Privacy Shield. The Court cast doubt over the extent transfers can be legitimised by the European Commission’s Standard Contractual Clauses (SCC) for personal data transfers to the US and globally. The SCCs were still valid as a transfer mechanism in principle but would require additional work.

To study the case in its entirety, see the ECJ’s full judgment in Case C-311/18.

Background of Schrems II

The case originated from activist Maximilian Schrems’ call for the Irish Data Protection Commissioner to invalidate the SCC for Facebook’s use of transferring personal data to its headquarters in the US. The personal data, both in transit to and when stored in the US, it was argued, could be accessed by US intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU law.

The main rule in the GDPR is that transfers outside of the EU and EEA are prohibited unless an adequate safeguard can be used. First and foremost, there are the EU Commission’s adequacy decisions, where the EU Commission after thorough evolution of national laws have concluded that a country’s data protection laws are essentially equally good as the GDPR. Then the mechanisms for secure transfers outside of the EU/EEA, prior to Schrems II: Privacy Shield, the EU Standard Contracting Clauses and Binding Corporate Rules (only for intra-group transfers). There are also possibilities for exemptions from the general principle that a recipient country must have an adequate level of protection in Article 49 derogations.

What was tried, and what was decided?

Privacy Shield invalidated due to shortcomings in US laws

US laws had several shortcomings that impede the protection of personal data and violate the GDPR. In essence, the Court pointed to the far-reaching possibilities of surveillance that exists under the US national security laws (namely US Foreign Intelligence Surveillance Act (FISA) Section 702, Executive Order 12333 and Presidential Policy Directive 28). These laws regulate US authorities’ access and use of personal data imported from the EU into the US and do not have the controls to adequately protect EU data subjects that may become the target of national security investigations.

In detail, the Court found that data subject rights were not actionable before the courts against US authorities. The Privacy Shield had contemplated a protection mechanism in the form of an Ombudsman. Still, the role did not have the power to adopt decisions that would be binding on US intelligence services.

Companies must now verify the privacy protection in the recipient country in order to use the SCCs

Schrems II also dealt with standard contractual clauses (SCCs). It begged the question if the SCCs decided by the European Commission were valid in the context of transfers to the US. The court decided that, while SCCs are still valid, they require additional work. Companies must ensure that the recipient country has equivalent data protection to that of the EU. They cannot rely on SCCs alone – the time to “sign and forget” is over.

“Since by their inherently contractual nature standard data protection clauses cannot bind the public authorities of third countries…” (Judgement, paragraph 132)

“In that regard, as the Advocate General stated in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is, therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. (Judgement, paragraph 134)

Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.” (Judgement, paragraph 135)

A company that makes data available for potential cross-border transfer (including common cases when using a non-EU supplier) shall inform themselves of and assess the recipient country’s level of compliance with the GDPR.

The Court emphasised the existing obligation of the data exporter to ensure adequate protection of the data before exporting any data. The recipient is obliged to inform the exporter of any impediments to its compliance with the SCCs. If the existence of local surveillance laws would impede the alignment with the GDPR, then the exporter (read your customers) must stop the transfer and end the contract. If the data exporter fails its obligations under the SCC, the lead supervisory authority must intervene and may prohibit the transfer.

Analysis of the current situation using US service providers 

Organizations should without delay confirm that cross-border data transfers it is responsible for complying with the GDPR and this recent CJEU’s judgement. 

Acting on the invalidation of the EU-US Privacy Shield 

• There will likely not be any broad enforcement of the case in the coming months, just like the last time when the prequel to Privacy Shield, the EU-US Safe Harbour mechanism, was invalidated. 
• If your company has business interests in the markets with more immediate strict enforcement, e.g. Netherlands and Germany. 
• Do not start using the EU–US Privacy Shield during this period.
• Consider switching to an alternative safeguard (such as the SCC).
  • Standard data protection contractual clauses (SCCs).
  • Binding corporate rules (BCRs).
  • Codes of conduct.
  • Certification mechanisms.
  • Ad hoc contractual clauses.
  • Additionally, it may be possible to use the exemptions that are listed in article 49 of the GDPR.
• Consider whether there are non-US alternative suppliers 

Work required to continue to use Standard Contracting Clauses (SCC) 

• Identify the cross-border transfers under your responsibility.
• Perform a nuanced analysis of the recipient country’s level of data protection compliance with the GDPR. Are any countries in the Five Eyes Alliance involved (Australia, Canada, New Zealand, the United Kingdom and the United States), then an in-depth analysis is required. 
• Help your customers and suppliers verify the level of data protection that applies to any data exports under your responsibility. Compile your privacy documentation, adherence to relevant ISO or other standards, codes of conduct, and any previous prior consultations from your supervisory authority? 
• Keep track of any new and updated guidelines from the European data protection regulators on how to use the SCCs and their statement of the legality of any data transfers in certain countries. 
• Monitor any new release of a set of updated SCCs by the European Commission that will come shortly that address the risks identified by the Court for export into the US. 
• Add additional safeguards to the SCCs (called SCCs plus) where the exporter and importer regulate any remaining risks associated with the data transfer. Such other safeguards can involve additional technical controls and contractual obligations on how to manage onward transfers and compelled disclosures to authorities. 

Further complications using SCC for US services 

Keep in mind that this ruling has limited impact on most companies using the SCC to legitimize their cross-border data transfers when the transfers are made via their own non-US communications systems. 

For any US transfers, assess if the recipient organization is subject to FISA section 702 and Executive Order 12333, which typically applies where the recipient is a communication service provider. 

Add additional safeguards to the SCCs (called SCCs plus) where the exporter and importer regulate any remaining risks associated with the data transfer. For US transfers, it will be crucial to include in the agreement; for example, how government requests for access to personal data must be handled to ensure that your organization has enough control. And also, technical controls to limit the use of the data could be implemented. 

The broader significance of the Court’s criteria for global data export 

Applying the Court’s criteria for determining the recipient country’s privacy legislation, it appears likely that the regulator holds the surveillance laws in the countries of the intelligence alliance the Five Eyes as not adequate to the GDPR. Note that the Five Eyes alliance comprises Australia, Canada, New Zealand, the United Kingdom and the United States). Companies active in these markets may consider implementing additional technical safeguards to their data transfers to be on the safe side of enforcement. 

Currently, the EU Commission is assessing the UK’s privacy legislation to decide whether to provide an adequacy decision or not by the end of 2020. In the absence of an adequacy decision come 2021, we recommend implementing additional safeguards for any UK data transfers. 

Will there be a grace period for Schrems II judgement? 

The invalidity of the Privacy Shield was immediate. As of 16 July 2020, the Privacy Shield was null and void and should not be used. As of now (23 November 2020), there is no proactive enforcement from the regulators. The regulators appear to be taking a measured stance allowing organizations to adapt their processes and infrastructure. Especially awaited is the guidance from the EU Commission and the European Data Protection Board on how to act after Schrems II, which will provide more clarity.

Notably, the activist group behind this judgment (noyb) has during the autumn sued 101 European companies (including market-leading Nordic and Swedish companies) seeking enforcement of their use of Google Analytics and Facebook Connect integrations in their websites. The use of Google Analytics allegedly violates the data transfer mechanisms since Google relies on the SCC for onward transfer to Google in the US. 

Can our organisation use Privacy Shield as a mechanism to transfer data to the US?

No, the CJEU invalidated the Privacy Shield with immediate effect on the 16 July 2020, the day of its Schrems II judgement. If there is a need to transfer personal data to the US, consider an alternative legal basis.

Can we continue to use Binding Corporate Rules as a mechanism to transfer data to the US?

The Schrems II judgement may affect transfers that take place based on binding corporate rules (BCR). The recipient country outside the EU/EEA’s legislation must be analysed to see whether the country offers equivalent protection for privacy such as the GDPR.

It is up to the organisation to export data to the US or another third country to perform a Transfer Risk Assessment. In such an assessment, an analysis of the data flow, supplier’s access to the data, recipient country’s legislation, if additional safeguards are applicable to the SCCs and alternatives to the supplier are documented.

When the national supervisory authorities approve binding corporate rules, control of the BCRs is made to make sure that the rules meet the GDPRs requirements. The BCRs contain rules on how a certain company group follow fundamental data protection principles, such as purpose limitation, data minimisation, the data subjects’ rights and how to manage complaints. It is up to the company group to make sure that the recipient countries’ national legislation respects the GDPR.

Approval from a national supervisory authority does not mean that all transfers are automatically approved. The national supervisory authority does not make an analysis of whether the recipient country’s legislation meets the GDPR requirements.

Checklist and considerations for compliance with Schrems II 

1. Make an inventory of all non-EU suppliers, sub-suppliers, and partners (which involves data transfers outside of the EU/EEA). Review your records of processing that should include this information. Do not forget to investigate the sub-processors of your processors.
2. Assess the laws of the country you are transferring personal data to.
3. To be able to use the SCC to transfer data, you should document your risk assessment of the suppliers/recipients of data. Review if there are exceptions to the strict requirements of cross-border transfers for you, review the effectiveness of using technical controls and, where possible, construct additional safeguards and request those supplements to the SCCs in place. 
4. Review any supplier relationships that involve data transfers to the US. Is the supplier and its solution necessary, or can you change the solution and/or supplier?
5. Public sector customers may require an alternative infrastructure setup due to the further restrictions of data transfers that apply for public sector classified personal data (like encryption and other technical controls may not be enough according to case law to allow for continued use of such supplier and service).
6. Evaluate hybrid cloud solutions. Review the extent to which your organisation can commit to cloud and infrastructure solutions provided by American, global, European, and Swedish cloud services suppliers, respectively. 
7. Make plans to engage in prior consultation with the Data Protection Authority to get acceptance of your transfer impact assessment and alternative set-up. 
8. Update any data processor agreements as applicable, and change the processor if your analysis comes to that conclusion.
9. Update any internal data protection policies to keep your organisation in line with this new situation.
10. Update your external privacy notices to inform your visitors and customers of how you are meeting your responsibilities as controller/processor.

It is important to document the steps taken. It is also important to re-evaluate these measures at appropriate intervals. All in all, the courts’ decision does not mean that transfers of personal data to the US have been made impossible, but more restricted.

Update: Resources for your analysis

The transfer impact assessment you make must reference the level of protection from local laws. You will need to read up on and assess the laws of the recipient country, and read our summary of EDPB’s recommendations on European Essential Guarantees.

With any subprocessors, you shall use the new Standard Contractual Clauses, they exist in four different modules, depending on the situation. You may read our post on the New SCCs from EU – the Definitive Guide.

For some situations, when you have taken extra care and you e.g. have the consent of the customer, exemptions to the international rules on transfers apply, please read our post on GDPR article 49 derogations applicable to international transfers.

What has changed since Schrems II?

Schrems II was decided in July 2020. Since then, three developments have changed how businesses manage international data transfers.

First, the European Commission has adopted new Standard Contractual Clauses. These SCCs are modular and better adapted to modern processor, controller and sub-processor relationships. However, they do not remove the need to assess whether the recipient can comply with them in practice.

Second, Transfer Impact Assessments have become a standard part of vendor and cloud compliance. A TIA should assess the data flow, the recipient, the destination country, the likelihood and impact of government access, the technical safeguards, and any supplementary contractual or organisational measures.

Third, the EU–US Data Privacy Framework now provides an adequacy route for transfers to US organisations that are properly certified. This is a major development, but it does not eliminate the need for governance. The exporter must verify that the recipient is certified, that the certification covers the relevant entity and data type, and that the actual transfer is within scope.

For businesses, the result is a more practical transfer model:

• use the Data Privacy Framework where it properly applies;
• use SCCs and a TIA where it does not;
• document the decision;
• implement safeguards; and
• keep the transfer under review.

Schrems II in practice: an operational checklist for 2026

For most organisations, Schrems II compliance is not solved by one legal document. It is an operational control framework for international data flows.

A practical review should cover the following steps.

1. Map the real data flows

Start with the actual architecture, not the contract folder.

International transfers may occur through hosting, support access, telemetry, analytics, logging, monitoring, customer success tools, group company access, development environments, backups and sub-processors.

A supplier may be “EU hosted” but still involve remote access from outside the EU/EEA. That access can itself be a restricted transfer.

2. Identify the transfer mechanism

For each transfer, identify the relevant route.

This may be an adequacy decision, the EU–US Data Privacy Framework, Standard Contractual Clauses, Binding Corporate Rules or, in limited cases, an Article 49 derogation.

Do not use Article 49 derogations as a routine solution for ongoing business transfers. They are narrow exceptions, not a replacement for proper transfer architecture.

3. Check whether the Data Privacy Framework actually applies

For US transfers, check whether the recipient is listed as certified under the EU–US Data Privacy Framework.

Then verify the details. Is the relevant legal entity covered? Is the certification active? Does it cover HR data, non-HR data or both? Is the transfer to that entity, or to a different affiliate or sub-processor?

This check should be repeated periodically and before material changes to the service.

4. Run a proportionate Transfer Impact Assessment

A TIA should be practical and risk-based. It should not be a generic memo copied across all suppliers.

The assessment should consider:

• the nature of the personal data;
• the categories of data subjects;
• the destination country;
• the recipient’s role and legal exposure;
• whether public authority access is reasonably relevant;
• the technical safeguards in place;
• the contractual commitments from the recipient; and
• whether the transfer remains necessary.

The more sensitive or business-critical the data, the deeper the assessment should be.

5. Use technical controls where they matter

Contractual safeguards are important, but Schrems II is ultimately about whether protection is effective in practice.

Relevant controls may include encryption, key management in the EU/EEA, access segregation, pseudonymisation, data minimisation, strict support access controls, logging, transparency reporting and customer notification commitments.

For high-risk transfers, ask a hard question: can the supplier access personal data in clear text? If yes, why is that necessary?

6. Build transfer review into vendor governance

International transfer compliance should be part of normal vendor management.

Update the review when there is a new sub-processor, a new hosting location, a material product change, a new support model, a new group access arrangement or a regulatory development affecting the destination country.

The strongest organisations do not treat Schrems II as a one-off project. They build it into procurement, security review, privacy review and contract renewal.

7. Prepare for authority and customer questions

Customers, auditors and regulators may ask for evidence. Be ready to explain:

• what transfers exist;
• which transfer mechanisms are used;
• whether a TIA has been completed;
• which safeguards apply;
• how sub-processors are controlled; and
• when the assessment is reviewed.

Good documentation should be clear enough for legal review, but practical enough for engineering, procurement and security teams to maintain.

Common mistakes

Common mistake 1: “Our supplier hosts in the EU, so there is no transfer.”
Not always. Remote access, support, telemetry, logging or sub-processors may still create transfers.

Common mistake 2: “The supplier has SCCs, so we are done.”
No. SCCs are a transfer tool, not the whole assessment.

Common mistake 3: “The US supplier is DPF-certified, so no further checks are needed.”
No. You must verify the entity, status and scope of certification.

Common mistake 4: “The TIA is a legal memo.”
A useful TIA connects law, contracts, data flows and technical safeguards.

Common mistake 5: “This only concerns US cloud.”
No. Schrems II applies to transfers to third countries generally.

What is the biggest mistake SaaS and IaaS suppliers make?

The biggest mistake is treating international transfer compliance as a contract issue only.

Customers do not only want signed SCCs. They want confidence that the supplier understands its data flows, has implemented technical controls and can explain how international access is governed.

For suppliers, this is also a sales issue. Weak transfer answers slow down enterprise procurement. Strong transfer documentation reduces friction and builds trust.

What is the biggest mistake customers make?

The biggest mistake is accepting broad statements without understanding the actual data flow.

Statements such as “EU hosted”, “GDPR compliant”, “we use SCCs” or “we are DPF-certified” are helpful starting points, but they do not answer the full question.

Customers should understand what data is processed, where it is stored, who can access it, whether access occurs from outside the EU/EEA, which transfer mechanism applies and what safeguards reduce the risk.

Frequently Asked Questions

How should agentic software companies think about international transfers?

Agentic software companies should look beyond traditional hosting and support flows.

Agentic systems may interact with multiple tools, APIs, knowledge bases, logs, orchestration layers, model providers, monitoring systems and human review workflows. Each of these may create additional data flows.

The transfer assessment should consider:

• what data the agent can access;
• where prompts, outputs, logs and traces are stored;
• whether personal data is sent to external model or infrastructure providers;
• whether human reviewers can access data from outside the EU/EEA;
• whether tool integrations send data to third countries;
• how long operational logs are retained;
• whether data is used for service improvement or training; and
• whether sensitive or regulated customer data is excluded or controlled.

For agentic companies, the key is to map the real execution chain. The legal assessment must follow the system design, not the marketing description.

Are prompts and logs personal data?

They can be.

Prompts, outputs, traces, tickets, system logs and monitoring data may contain personal data if they identify or relate to an individual. In enterprise services, this may include employee data, customer data, support data, transaction data, HR information, emails, user IDs, IP addresses or free-text content.

For agentic and AI-enabled SaaS tools, logs are often operationally valuable. They are also legally important. Suppliers should define what is logged, why it is logged, where it is stored, who can access it, how long it is retained and whether it is transferred outside the EU/EEA.

Can anonymisation solve the transfer issue?

Only if the data is truly anonymised.

If data can no longer be linked to an identifiable individual, GDPR will not apply. However, true anonymisation is difficult, especially where the supplier or customer still holds additional data that could enable re-identification.

Pseudonymisation is useful and often recommended, but it does not remove the data from GDPR if re-identification remains possible. Pseudonymised data is still personal data.

_____________

Sharp Cookie Advisors helps technology and compliance-driven businesses turn international data transfer rules into workable vendor, cloud and product controls. We support Transfer Impact Assessments, SCC reviews, EU–US Data Privacy Framework checks, sub-processor reviews and practical transfer governance for fast-moving organisations.