TLDR:
Schrems II is the colloquial name for the 2020 Court of Justice of the European Union (CJEU) decision (Case C-311/18) that invalidated the EU-US Privacy Shield framework and imposed strict requirements on international personal data transfers under GDPR. The decision named after privacy activist Max Schrems fundamentally reshaped how organizations transfer personal data outside the EU.
What the Court Decided
The CJEU found that US surveillance laws (FISA 702, EO 12333) and lack of judicial redress for EU citizens meant the US did not provide an “essentially equivalent” level of protection to GDPR. Privacy Shield was invalidated immediately. Standard Contractual Clauses (SCCs) were upheld in principle but required additional safeguards—a Transfer Impact Assessment (TIA) evaluating local laws of the recipient country and supplementary measures (encryption, pseudonymization, legal challenges to surveillance access).
The EU-US Data Privacy Framework
In response, the European Commission and US Government negotiated a successor framework (Trans-Atlantic Data Privacy Framework, adopted July 2023 as the EU-US Data Privacy Framework). This framework includes Executive Order 14086 limiting US intelligence access to EU data and establishing a Data Protection Review Court. The framework allows transfers to certified US organizations without additional safeguards, though Schrems and others have challenged its adequacy in pending litigation.
Practical Compliance Today
Organizations transferring personal data from EU to third countries should: rely on adequacy decisions where available (UK, Switzerland, Japan, South Korea, EU-US DPF for certified US entities), use updated SCCs (2021 version) for transfers without adequacy, conduct Transfer Impact Assessments documenting analysis of recipient country law, implement supplementary technical measures (especially encryption with EU-held keys), and monitor regulatory developments. Turkish KVKK has parallel requirements; Türkiye is not currently subject to an adequacy decision so EU-to-Türkiye transfers require SCCs plus TIA.