Schrems II refers to the landmark 2020 ruling by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield framework and placed stricter requirements on international data transfers. The ruling established that organisations must assess whether the laws of the recipient country provide an essentially equivalent level of data protection before relying on Standard Contractual Clauses or other transfer mechanisms.
In practice, Schrems II requires organisations to conduct Transfer Impact Assessments (TIAs) and implement supplementary measures—such as encryption or pseudonymisation—where the legal framework of the destination country is deemed inadequate. This ruling has had a profound effect on how European organisations engage with non-EU cloud providers and service providers, particularly those based in the United States.