Schrems II and International Data Transfers under GDPR: What Companies Need to Know?

Tsanko Kalchev
vor 23 Stunden
3 Min. Lesezeit

Introduction

The Schrems II decision of the Court of Justice of the European Union (CJEU) represents one of the most significant developments in EU data protection law in recent years. By invalidating the EU–US Privacy Shield framework, the Court fundamentally reshaped the legal basis for transferring personal data outside the European Economic Area (EEA).

For internationally active companies, this ruling has transformed cross-border data transfers from a routine compliance task into a high-risk legal issue requiring continuous assessment and documentation. Businesses can no longer rely on standard mechanisms alone but must adopt a structured and risk-based approach.

1. The Legal Background of Schrems II

The Schrems II case arose from concerns about the level of protection afforded to personal data transferred to the United States. The CJEU found that US surveillance laws allow public authorities to access personal data in a manner incompatible with EU fundamental rights.

As a result, the Court invalidated the Privacy Shield and imposed stricter requirements on other transfer mechanisms, particularly Standard Contractual Clauses (SCCs). While SCCs remain valid in principle, their use now requires additional legal and factual assessments.

2. A Shift Toward Risk-Based Compliance

One of the most important consequences of Schrems II is the shift toward risk-based compliance. Companies must now actively evaluate whether personal data transferred to third countries is adequately protected in practice—not just in theory.

This means that organizations must assess the legal environment of the destination country, including the extent to which authorities may access data and whether effective legal remedies exist for individuals.

This development aligns with broader EU regulatory trends, as discussed in our article on the EU Digital Omnibus and the future of GDPR.

3. Standard Contractual Clauses in Practice

Although SCCs remain a central transfer mechanism, their practical application has become significantly more complex. Companies must now ensure that contractual safeguards are complemented by technical and organizational measures, such as encryption, access controls, and data minimization.

In addition, organizations are required to document their assessments and be able to demonstrate compliance to supervisory authorities. This has led to increased administrative burdens, particularly for small and medium-sized enterprises.

4. Transfer Impact Assessments (TIAs)

A key compliance requirement following Schrems II is the implementation of Transfer Impact Assessments (TIAs). These assessments require companies to systematically analyze:

the legal framework of the recipient country
the likelihood of government access
the effectiveness of implemented safeguards

In practice, TIAs are not a one-time exercise but must be regularly reviewed and updated. This creates an ongoing compliance obligation that requires both legal and technical expertise.

5. Operational Challenges for Businesses

From a practical perspective, Schrems II has introduced significant uncertainty. Many companies struggle to assess foreign legal systems or to determine whether additional safeguards are sufficient.

This is particularly relevant for organizations relying on global service providers, such as cloud or SaaS solutions. In these cases, data transfers are often complex and involve multiple jurisdictions, making compliance even more challenging.

Companies operating in specific EU jurisdictions, such as Bulgaria, must also consider national enforcement practices. For a detailed overview, see our GDPR compliance for foreign businesses in Bulgaria guide.

6. Future Outlook and Regulatory Developments

Schrems II continues to shape EU data protection policy. It has already influenced ongoing discussions about reforming international data transfer rules and is likely to play a central role in future legislative initiatives.

The EU’s broader regulatory strategy—including the emerging Digital Omnibus approach—suggests that data transfer rules may become even more structured and stringent in the coming years.

Conclusion

Schrems II has fundamentally changed how companies approach international data transfers. Compliance is no longer a matter of implementing standard clauses but requires a holistic, risk-based, and continuously monitored framework.

Organizations that proactively adapt to these requirements will not only reduce legal risks but also strengthen their position in an increasingly regulated digital environment.