The Schrems II Ruling Explained: Privacy Shield Invalidation and Its Impact

On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield, finding that US surveillance laws (FISA 702, EO 12.333) allow intelligence agencies to access non-US persons' data without adequate oversight.

Key findings: FISA 702 enables mass surveillance of non-US persons. EU citizens have no effective judicial remedy. The Privacy Shield's oversight mechanisms lacked independence.

Standard Contractual Clauses remain valid in principle but require case-by-case assessment of destination country protections. For US transfers, this assessment is nearly impossible to pass.

Impact on business: US cloud providers (AWS, Google Cloud, Azure) are problematic regardless of server location. Any SaaS processing EU personal data faces compliance challenges. Website analytics transferring visitor data to US infrastructure are affected.

What to do: Audit data flows, assess EU-based alternatives, prioritize high-risk areas like analytics and advertising, and document all compliance decisions. Treat EU-US data transfers as legally risky and plan accordingly.