Glossary term
Schrems II
Also: CJEU C-311/18, Privacy Shield ruling
CJEU ruling of 16 July 2020 that invalidated the EU-US Privacy Shield and only allowed Standard Contractual Clauses (SCC) under additional safeguards. Consequence: third-country data transfers need a Transfer Impact Assessment (TIA) plus additional protective measures.
Background: Max Schrems brought a complaint against Facebook Ireland - Facebook USA data transfers. The CJEU found that US law (FISA 702, EO 12333) does not meet GDPR minimum requirements.
Consequence for EU companies: a TIA per third-country transfer that assesses the recipient country's protection level. Where gaps exist, additional measures such as encryption with EU key custody, pseudonymisation, contractual clauses, technical separations.
Status 2026: the EU-US Data Privacy Framework (DPF) has replaced Privacy Shield since July 2023. It offers a certification basis for DPF-certified US companies, but DPF can be invalidated at any time. Conservative GDPR practice: continue with TIA and protective measures.
Related terms
TIA
Assessment of the protection level in the recipient country for data transfers to third countries af…
DPIA
Mandatory assessment under GDPR Art. 35 where processing is likely to result in high risk to the rig…
Sovereign cloud
A cloud deployment model that guarantees operational, legal and technical control of data and worklo…
SASE
Gartner architecture category combining network (SD-WAN) and security functions (SWG, CASB, ZTNA, FW…
SBOM
Machine-readable inventory of all components in a software incl. versions, licences and dependencies…
SIEM (Security Information and Event Management)
A platform that centralises security logs, enables long-term retention, runs correlation rules and s…
SOC 2 Type 2
Audit report by a US public accountant under AICPA SSAE 18 standard, confirming the operating effect…
SSE
Subset of SASE without SD-WAN. Bundles SWG, CASB, ZTNA and (increasingly) DLP/RBI in a cloud platfor…