Schrems II

CJEU C-311/18 — Privacy Shield invalidated, SCCs + TIA mandatory

· Category: GDPR · Compliance-Kit
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

Schrems II (CJEU C-311/18 of 16 July 2020) invalidated the EU-US Privacy Shield. As a consequence, data transfers to third countries (outside the EU/EEA) may only take place subject to additional safeguards — typically standard contractual clauses (SCC 2021/914) plus a Transfer Impact Assessment (TIA). The Data Privacy Framework (DPF, in force since 07/2023) provides a new Privacy-Shield-equivalent for US transfers.

What is Schrems II?

Four main pillars after Schrems II:

Practical example

Practical case: Microsoft 365 with US subsidiary MS Inc. as a sub-processor. - DPA with Microsoft (EU contracting party) - SCC annex for the US transfer - TIA: take into account Trump 2024 decisions and FISA Section 702 - Alternative: DPF — Microsoft Inc. is DPF-certified - In practice: dual track (DPF + SCC) as risk mitigation

Frequently asked questions

Do I need SCCs, or is the DPF sufficient?
If the US company is DPF-certified: the DPF is sufficient (no SCCs required). If not certified: SCCs + TIA are mandatory. Best practice: dual track given the uncertainty around DPF stability.
How do I conduct a TIA?
5 steps: (1) identify the third country, (2) assess the level of protection (government access rights, legal redress), (3) additional measures (encryption, pseudonymisation), (4) documentation, (5) regular review.
What if the DPF is invalidated again?
Schrems III is pending. Strategy: keep SCCs as a backup safeguard, use encryption at rest with EU-held keys, prefer EU hosting where possible.

See also