Datenschutz & Souveränität
Schrems II explained simply: What the ruling means for companies
A single ECJ ruling turned data transfers to the USA upside down — and its effects are still felt today. What Schrems II decided, what has been in effect since, and why EU hosting elegantly bypasses the issue.

When it comes to data protection and US providers, there is no way around two words: "Schrems II." This refers to a ruling by the European Court of Justice that fundamentally changed transatlantic data traffic—named after the Austrian lawyer Maximilian Schrems, who filed the lawsuit.
What the court decided
On July 16, 2020, the ECJ declared in theCase C-311/18the "Privacy Shield"—the basis for data transfers to the USA at the time—as invalid. At the same time, the Standard Contractual Clauses (SCC) remained fundamentally valid. In the words of theECJ press release:
„The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield … However, it considers that Commission Decision 2010/87 on standard contractual clauses … is valid.“
The reason for the end of the Privacy Shield: US surveillance law allows government access that, in the court's view, is "not limited to what is strictly necessary"—meaning no level of protection equivalent to EU law, and no effective legal remedy for EU citizens.
The catch with the standard contractual clauses
The SCCs survived the ruling — but not unscathed. The ECJ requires that the data exporter and importerbefore every transferverify whether a "substantially equivalent" level of protection actually exists in the destination country. If it is insufficient, additional measures are necessary—or the transfer must be avoided. This assessment has become known as a "Transfer Impact Assessment" (TIA); the corresponding methodology was provided by the European Data Protection Board using a six-step approach.
What has happened since 2020
The gap left by the Privacy Shield was to be filled by a successor: on July 10, 2023, the EU Commission adopted the adequacy decision for theEU-U.S. Data Privacy Framework (DPF)Since then, data can once again flow to DPF-certified US companies on a clear legal basis. The data protection organization NOYB promptly announced that it would also have this framework reviewed. An initial test turned out favorably for the DPF: on September 3, 2025, the EU court dismissed the first lawsuit (T-553/23) and confirmed—at the time of the ruling—an adequate level of protection. An appeal to the ECJ remains possible; thus, the story is not yet over.
What that means in practical terms
For companies using US services, the implication is as follows:
Check whether the US provider is DPF-certified — if so, a legal basis for transfer exists.
Otherwise, SCC plus TIA — involving the effort of a case-by-case assessment of US law.
TheUS CLOUD Actthink ahead: He can compel US providers to disclose information, even if the data is located in an EU data center.
The simplest way to bypass all of this: EU hosting with a European provider. Where no third-country transfer takes place, Chapter V of the GDPR does not apply at all — no TIA, no DPF risk. That is exactly what Kasimir is built on.
Conclusion
Schrems II has shown that an EU server location alone is not sufficient as long as a provider is subject to US law. Those who wish to avoid this uncertainty altogether choose a European provider — our article explores this topic in more depth.Data sovereignty in the company; the overall framework is provided by theGuide to GDPR-compliant AI.
Sources
GDPR-compliant AI from a real German data center
Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.



