Schrems II

What it is

Schrems II refers to the 2020 ruling by the Court of Justice of the European Union (CJEU) in case C-311/18 (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems). The court invalidated the EU–US Privacy Shield framework that had allowed EU personal data to flow to US-based service providers. The court found that US national security law (FISA section 702, Executive Order 12333) gave US intelligence agencies access to EU personal data in ways incompatible with EU fundamental rights. After the ruling, organisations transferring EU personal data outside the EU must conduct a Transfer Impact Assessment (TIA) and apply Supplementary Measures — typically encryption, pseudonymisation, or contractual safeguards — that mitigate the access risk.

Why it matters

Schrems II changed the calculus on cloud and SaaS for European companies. Tools running on US infrastructure — even with EU data centres — became risky if the operator was subject to US discovery law. The 2023 EU–US Data Privacy Framework (the successor to Privacy Shield) restored some flow, but it is being challenged in court (Schrems III is in motion as of 2026), and many regulated EU buyers — financial services, public sector, defence-adjacent — now require EU-only operators by policy, regardless of which framework is currently active. Schrems II compliance is no longer optional; it is structurally embedded in EU enterprise procurement.

How Norrsent handles it

Norrsent processes EU customer data only in the EU. Primary region is Frankfurt (eu-central-1); disaster recovery is Dublin (eu-west-1). No data leaves the EU — neither in primary processing nor backup, neither under normal operation nor under any contractual arrangement. The company is EU-incorporated; sub-processors are listed publicly and screened against the same EU-only constraint.

Common questions

Does the 2023 EU–US Data Privacy Framework reverse Schrems II?

It restored a legal mechanism for EU–US data flow under conditions, but it has not removed the underlying risk. The framework is being legally challenged (the case being called Schrems III). Many EU enterprises still treat US-based processors as elevated risk regardless of the framework's status.

Is Schrems II only about US transfers?

No. The principles — Transfer Impact Assessment, Supplementary Measures, equivalent protection — apply to any transfer outside the EU/EEA. The US case is the most prominent because of its volume; the same logic applies to UK (post-Brexit, with adequacy), India, Singapore, and others.

What does 'Schrems II compliant' mean for a vendor?

Operationally: EU-only data residency, EU-incorporated sub-processors, no cross-border access by default, encryption at rest and in transit, and a Transfer Impact Assessment available on request. The phrase is shorthand; the substance is the assessment and the controls.