Schrems II

The Schrems II decision was triggered by a challenge to Facebook's mechanism for transferring European user data to the US. The court ruled that the Privacy Shield was invalid because US surveillance law did not offer EU individuals adequate protection against government access to their data.

The ruling didn't prohibit EU-US data transfers, but it required organizations relying on Standard Contractual Clauses (SCCs) to conduct Transfer Impact Assessments (TIAs), individualized evaluations of whether the destination country's laws undermine the SCCs' protections.

The EU-US Data Privacy Framework (DPF), adopted in 2023, provides a new adequacy mechanism for qualifying US organizations. However, it faces ongoing legal challenges. For organizations with EU-US data flows, maintaining awareness of the current transfer mechanism landscape and conducting TIAs where required remains an active compliance obligation.