2019
When Austrian privacy activist Max Schrems filed his second major complaint against Facebook in 2015, few anticipated it would invalidate the entire EU-US data transfer framework four years later. But on July 16, 2020, the CJEU did exactly that — striking down Privacy Shield and placing Standard Contractual Clauses under significant scrutiny.
The Schrems II ruling created immediate legal uncertainty for thousands of organizations that had relied on Privacy Shield as their primary mechanism for EU-US data transfers. Understanding the case, the ruling, and its ongoing implications is essential for any organization with transatlantic data flows.
The Background: Schrems I and Its Aftermath
Max Schrems first came to prominence in 2013 when he filed a complaint with the Irish Data Protection Authority challenging Facebook's transfer of European user data to US servers. His complaint, filed days after the Snowden revelations, argued that US surveillance law made adequate protection of EU data impossible.
The resulting Schrems I ruling in 2015 invalidated Safe Harbor — the data transfer framework that had governed EU-US flows since 2000. Safe Harbor's collapse sent thousands of companies scrambling for alternative transfer mechanisms, primarily Standard Contractual Clauses.
The EU and US negotiated Privacy Shield as Safe Harbor's replacement, launching it in 2016 with claimed improvements: stronger obligations on US companies, enhanced oversight by US authorities, and a new ombudsperson mechanism for EU citizens to raise complaints. Privacy advocates immediately criticized it as inadequate.
Schrems filed a new complaint, this time targeting Facebook's use of SCCs rather than Privacy Shield directly. The Irish DPA referred the case to the CJEU, setting up the ruling that would become Schrems II.
The 2020 Ruling: Privacy Shield Falls Again
The CJEU's July 2020 ruling was more sweeping than many expected. The court invalidated Privacy Shield entirely, finding that US surveillance law — particularly FISA Section 702 and Executive Order 12333 — did not provide EU citizens with effective judicial redress equivalent to what EU law guarantees.
The court didn't invalidate SCCs outright, but imposed new conditions. Organizations using SCCs must conduct Transfer Impact Assessments to verify that destination country law doesn't prevent compliance with SCC obligations. If it does, organizations must implement supplementary measures or suspend the transfer.
For EU-US transfers, the TIA requirement created a dilemma. US surveillance law clearly permitted government access to data held by US companies. Could SCCs plus supplementary measures (encryption, pseudonymization) bridge this gap? Regulators gave inconsistent guidance, creating a period of genuine legal uncertainty.
The Practical Impact on Organizations
The immediate impact was significant anxiety and limited practical change. Most organizations continued EU-US transfers under SCCs with newly drafted TIAs while the regulatory landscape clarified. The alternative — stopping all EU-US data transfers — was operationally impossible for most businesses.
Data Protection Authorities across Europe began investigating and penalizing some EU-US transfers. Google Analytics was declared illegal in Austria, France, Italy, and other countries. The Irish DPC issued enforcement decisions against Facebook (now Meta) resulting in record GDPR fines.
US cloud providers responded with data localization options — EU-hosted infrastructure, encryption models where providers held no decryption keys, and technical architectures designed to prevent US government access to EU customer data. These investments were directly driven by Schrems II.
The EU-US Data Privacy Framework: Third Attempt
After two years of negotiation, the EU-US Data Privacy Framework was adopted in July 2023. The framework addressed the core Schrems II concerns: new limits on US intelligence community access to EU data, a binding redress mechanism through a newly created Data Protection Review Court, and enhanced oversight of intelligence activities.
Schrems immediately challenged the DPF, describing it as Privacy Shield 3.0. As of 2025, the challenge was working through EU courts, and many privacy professionals expected another invalidation — making durable data transfer compliance a persistent challenge rather than a solved problem.
The Outpace Approach: Transfer Compliance That Survives
At Outpace, we advise clients to build data transfer compliance that doesn't depend on any single adequacy mechanism — because history shows they don't last. Organizations that relied entirely on Safe Harbor were unprepared in 2015. Those that relied entirely on Privacy Shield were unprepared in 2020. A Schrems III ruling would catch the DPF-dependent equally unprepared.
Our approach: maintain current SCCs for all EU third-country transfers regardless of available adequacy decisions. Conduct and document Transfer Impact Assessments. Implement technical safeguards (encryption at rest and in transit, access controls) that reduce government access risk. Build data governance documentation that demonstrates proactive compliance.
For organizations with significant EU-US data flows, we evaluate whether EU-hosted infrastructure options from US cloud providers (AWS EU Sovereign Cloud, Microsoft EU Data Boundary) provide sufficient separation to withstand the next legal challenge.
Moving Forward: Schrems III Is Possible
Privacy advocates have been consistent: they will continue challenging EU-US data transfer mechanisms until US surveillance law is fundamentally reformed. That reform is not imminent.
The prudent posture is to build data transfer compliance that can survive the loss of any single mechanism. Maintain SCCs. Conduct TIAs. Consider EU-hosted infrastructure for the most sensitive data categories. Document everything. Organizations that build this resilience won't be caught flat-footed by the next Schrems ruling.
💡 Ready to build data transfer compliance that survives the next Schrems ruling? Outpace Professional Services designs durable cross-border data governance frameworks. Contact us for a transfer risk assessment.
