Schrems II Data Transfer
aka Schrems II, C-311/18, Schrems II ruling
The 2020 Court of Justice ruling that struck down Privacy Shield and forced Irish controllers to assess US surveillance risk before sending personal data to US-hosted AI tools, even with Standard Contractual Clauses in place.
Last reviewed May 2026
Definition
In July 2020 the Court of Justice of the European Union, in a case brought by Austrian campaigner Max Schrems against Facebook Ireland, invalidated the EU-US Privacy Shield framework that had been the main legal route for transferring personal data to US-based service providers. The court held that US surveillance law (in particular FISA 702 and EO 12333) does not give EU data subjects equivalent protection to GDPR, and that Standard Contractual Clauses alone are not enough unless the controller also assesses the destination country's legal environment and adds supplementary measures where needed. This assessment is the Transfer Impact Assessment. The 2023 EU-US Data Privacy Framework partly addresses Schrems II for vendors that self-certify under it (most large US AI vendors have), but Schrems himself has indicated he will challenge the new framework as well, and the underlying surveillance laws have not changed. For Irish controllers using US-hosted AI tools (ChatGPT, Claude, Jasper, Notion AI) the practical implication is that simply signing a Data Processing Agreement with SCCs is not sufficient documentation - the controller must record why the chosen US vendor is acceptable for the categories of personal data being processed, whether the EU-US DPF certification applies, what supplementary measures (encryption, pseudonymisation, contractual restrictions on government access) are in place, and what happens if the DPF is invalidated.
Why it matters for software choice
Most leading AI tools are US-headquartered and process personal data on US infrastructure. Irish controllers cannot delegate the legal risk to the vendor's DPA. The DPC expects to see a Transfer Impact Assessment on file for any personal-data-containing AI workflow that touches US infrastructure, even when the vendor self-certifies under the EU-US Data Privacy Framework.
Authority sources
- Court of Justice of the EU - Judgment C-311/18 (Schrems II) (curia.europa.eu)
- EDPB - Recommendations 01/2020 on measures supplementing transfer tools (www.edpb.europa.eu)
Software categories this affects
Vendors covered by this term
ChatGPT Enterprise
OpenAI's enterprise AI assistant with advanced reasoning, data analysis, and custom GPTs
Claude for Business
Anthropic's AI assistant with strong safety focus, long context handling, and business-grade data privacy
Jasper AI
AI content platform for marketing teams, with brand voice and campaign management
Notion AI
AI writing and knowledge management built into the Notion workspace platform
Related terms
Standard Contractual Clauses
Pre-approved contractual templates issued by the European Commission for transferring personal data outside the EEA. The default fallback when no adequacy decision applies.
Data Transfer Impact Assessment
Documented assessment of whether a non-EEA jurisdiction provides essentially equivalent protection for personal data, required after Schrems II for transfers under SCCs.
Data Residency (EU vs US)
Where customer personal data is stored and processed. Storing inside the EU/EEA simplifies GDPR compliance; processing in the US triggers transfer-mechanism obligations under Schrems II.
Data Protection Commission
Ireland's national data protection authority. Lead supervisory authority for many large US tech companies headquartered in Dublin under the GDPR's one-stop-shop mechanism.
DPC Guidance on AI
Published positions from Ireland's Data Protection Commission on how AI and large language models interact with GDPR. The closest thing to an official Irish AI rulebook for SMEs.