Schrems II

The Court of Justice of the European Union ruled that US surveillance laws (particularly FISA 702 and EO 12333) provide insufficient protection for EU personal data. Privacy Shield was invalidated. Standard Contractual Clauses remain valid but require case-by-case assessment of destination country protections.

The Schrems II judgment fundamentally changed international data transfer law. The CJEU found that US surveillance practices under FISA 702 and EO 12333 do not meet EU standards for data protection—specifically, they lack proportionality, independent oversight, and effective judicial remedies for EU citizens. Privacy Shield was invalidated because its reliance on US self-certification could not overcome these structural deficiencies. Standard Contractual Clauses (SCCs) remain a valid transfer mechanism, but exporters must now conduct Transfer Impact Assessments (TIAs) to verify that destination country law does not prevent SCCs from being effective. If the assessment reveals inadequate protection, transfers must stop or additional supplementary measures must be implemented. The ruling affects any transfer to countries without EU adequacy decisions, requiring organizations to assess surveillance laws globally. The EU-US Data Privacy Framework (2023) attempts to address Schrems II concerns, but its durability is uncertain.