Schrems II
1 min
The Schrems II judgment fundamentally changed international data transfer law. The CJEU found that US surveillance practices under FISA 702 and EO 12333 do not meet EU standards for data protection—specifically, they lack proportionality, independent oversight, and effective judicial remedies for EU citizens. Privacy Shield was invalidated because its reliance on US self-certification could not overcome these structural deficiencies. Standard Contractual Clauses (SCCs) remain a valid transfer mechanism, but exporters must now conduct Transfer Impact Assessments (TIAs) to verify that destination country law does not prevent SCCs from being effective. If the assessment reveals inadequate protection, transfers must stop or additional supplementary measures must be implemented. The ruling affects any transfer to countries without EU adequacy decisions, requiring organizations to assess surveillance laws globally. The EU-US Data Privacy Framework (2023) attempts to address Schrems II concerns, but its durability is uncertain.