The case is named for Max Schrems, an Austrian lawyer and privacy advocate who has spent more than a decade challenging how American companies handle European data. His first case, Schrems I in 2015, brought down the Safe Harbor agreement. Schrems II, decided by the Court of Justice of the European Union, brought down its replacement, the EU-US Privacy Shield, and tightened the rules on the main remaining transfer mechanism.
To see why a court cares about this, you need the structure underneath. Under the GDPR, personal data about people in the EU cannot simply be exported to a country with weaker protections. Transfers are only legal through specific mechanisms: an adequacy decision declaring a country's protections essentially equivalent to Europe's, or contractual tools that promise equivalent protection in the absence of one.
What the Court Actually Decided
Schrems II made two rulings that pointed in opposite directions.
First, it invalidated the Privacy Shield, the adequacy arrangement that let companies self-certify and transfer data to the US freely. The court found that US surveillance law, in particular programs operating under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, gave American intelligence agencies access to data in ways that were not proportionate by EU standards, and that EU individuals had no meaningful way to seek redress in US courts.
Second, it preserved Standard Contractual Clauses, the contract templates companies use to commit to protecting transferred data. But it attached a heavy condition: clauses on paper are not enough. The party exporting the data must assess, case by case, whether the destination country's law actually lets those clauses be honored. Where the local surveillance regime would override the contract, the exporter must add supplementary measures or stop the transfer.
A contract between two companies cannot bind a government. If US law compels a provider to hand data to an intelligence agency, no clause the provider signed with a European customer can prevent it. The court refused to let a paper promise substitute for a real one, and that is what shifted the burden onto technical safeguards.
Where Encryption Enters the Law
The guidance that followed, from the European Data Protection Board, had to answer a practical question: what supplementary measure can actually protect data against a government that can legally compel the company holding it? The answer that survived scrutiny was strong encryption, under specific conditions.
Encryption counts as an effective safeguard when the keys are held only by the data exporter or a trusted party in a jurisdiction that offers adequate protection, and never by the importer who is subject to the compelling government. Put plainly: if the data sitting on a US server is encrypted with keys that stay in Europe, a US legal demand served on the US provider produces ciphertext, not content. The provider cannot be compelled to hand over what it does not have the ability to read.
This is the same principle that makes end-to-end encryption meaningful against any provider-targeting legal process. The party who could be compelled is structurally unable to comply, because the capability to decrypt was never in their hands.
What Changed Since, and What Did Not
The legal scaffolding kept moving after 2020. A summary of where the major pieces stand:
| Mechanism | Status after Schrems II |
|---|---|
| Privacy Shield | Invalidated in 2020. Could no longer be used as a basis for EU-to-US transfers. |
| Standard Contractual Clauses | Still valid, but only with a transfer impact assessment and supplementary measures where the destination's law is the problem. |
| Data Privacy Framework | A new adequacy decision adopted in 2023 to replace Privacy Shield, paired with US executive reforms and a redress mechanism. Privacy advocates have signaled it will be challenged in turn. |
| Encryption with keys held outside the importer's jurisdiction | A recognized supplementary measure, independent of which political framework is current. |
The frameworks come and go. Safe Harbor fell, Privacy Shield fell, the Data Privacy Framework now stands and may be tested again. The reason this churn matters to an ordinary person is that each political deal is a promise about how a government will behave, and the court has twice found those promises wanting. The technical safeguard does not depend on the promise holding.
The Lesson Underneath the Law
Schrems II is, at bottom, a ruling about who holds the keys. The court looked past the contracts and the certifications and asked a concrete question: when a government demands this data, who has the ability to produce it? Wherever the answer was a company subject to that government, the protection failed. Wherever the data was unreadable to that company, the protection held.
That is a legal endorsement of an architectural principle, not a marketing one. A service that can read your data can be compelled to share it, and a service built so it cannot read your data has nothing to surrender. The same property that satisfies a European court is the property worth looking for as a user anywhere: not a jurisdiction you are told to trust, but a design where the trust is not required. We built Haven so that the content of your messages is encrypted to keys that live on your devices, which means the question Schrems II turned on, who can be compelled to hand over the plaintext, has a structural answer rather than a promised one.
For more on the surveillance laws the court was reacting to, see our explainers on FISA Section 702 and the CLOUD Act.