Posted By Rydal Williams

What is Schrems II and What Does It Mean for US Sites?

The Data Privacy Earthquake You Can’t Ignore

In the world of data privacy, few rulings have sent shockwaves as powerful as the “Schrems II” decision from the Court of Justice of the European Union (CJEU). If your website operates in the US but serves a global audience—or even if you just use common analytics and marketing tools—this ruling has profound implications for your business. It fundamentally changes the rules for transferring personal data from the European Union to the United States.

Ignoring Schrems II isn’t just a compliance risk; it’s a direct threat to your data strategy, your marketing efforts, and your bottom line. Companies that fail to adapt face staggering fines, operational disruption, and a loss of customer trust. This guide will break down what Schrems II is, how it impacts your US-based operations, and what concrete steps you need to take now to ensure you’re not caught in the regulatory crossfire.

What Exactly Is Schrems II?

To understand Schrems II, we need to rewind to its predecessor. The EU’s General Data Protection Regulation (GDPR) is famously strict about transferring personal data outside the EU. For years, the primary legal mechanism allowing data transfers to the US was the EU-US Privacy Shield, an agreement that certified US companies as having “adequate” data protection standards.

Enter Max Schrems, an Austrian privacy advocate who argued that US surveillance laws—specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA 702)—gave US government agencies excessive access to the data of EU citizens, even when held by private companies. He contended that this level of access was incompatible with the fundamental rights guaranteed under GDPR.

In July 2020, the CJEU agreed with him. The court’s Schrems II decision invalidated the EU-US Privacy Shield framework entirely.

The court ruled that the surveillance programs in the United States were not limited to what is strictly necessary and proportional, and that EU citizens had no effective legal remedy against this surveillance in US courts. In one fell swoop, the primary legal basis for over 5,000 US companies to receive personal data from the EU was gone.

Why Should a US-Based Company Care?

It’s easy to think of this as a “European problem,” but that’s a dangerous misconception. If your website uses tools like Google Analytics, HubSpot, Salesforce, or virtually any major SaaS platform hosted in the US, you are likely processing data from EU citizens.

Here’s why this matters to you:

  • You’re Using Non-Compliant Tools: The majority of marketing and analytics platforms are hosted on US-based servers (think Google Cloud, AWS). Under Schrems II, simply sending EU user data to these servers for processing is now a restricted transfer.
  • The Fines are Massive: GDPR penalties are severe, reaching up to €20 million or 4% of your company’s global annual revenue, whichever is higher. Regulators in countries like France and Austria have already started fining companies specifically for using tools like Google Analytics in a non-compliant manner.
  • Standard Contractual Clauses (SCCs) Are Not a Silver Bullet: The backup plan for many was to rely on Standard Contractual Clauses (SCCs). These are pre-approved legal contracts for data transfers. However, the Schrems II ruling complicated their use. The court stated that SCCs are still valid, but only if the data exporter (your company) verifies that the recipient country (the US) provides a level of data protection equivalent to the EU’s. Given the court’s concerns about US surveillance, this is a very high bar to clear.

This verification requires a Transfer Impact Assessment (TIA), where you must document the risks and implement “supplementary measures” to protect the data. This is a complex, legally intensive process that many businesses are ill-equipped to handle.

The Path Forward: Practical Steps for US Businesses

Panic isn’t a strategy. Compliance is. The invalidation of the Privacy Shield doesn’t mean you have to stop doing business in Europe, but it does mean you need a smarter, more deliberate approach to your data architecture.

1. Conduct a Data Transfer Audit

You can’t protect what you don’t know. The first step is to map every single flow of personal data from EU users.

  • Identify Your Tools: List every third-party vendor you use—analytics, CRM, email marketing, cloud hosting, etc.
  • Locate the Data: For each vendor, determine where their servers are located. If they are in the US, that’s a restricted transfer.
  • What Data is Being Sent?: Are you sending IP addresses, user IDs, email addresses, or other personal identifiers? Be specific.

2. Evaluate Your Legal Basis for Transfers

With the Privacy Shield gone, you must rely on an alternative.

  • Standard Contractual Clauses (SCCs): This is the most common alternative. You must sign the latest version of the SCCs with your US-based vendors. But remember, this isn’t enough. You also need to conduct a TIA for each transfer.
  • Binding Corporate Rules (BCRs): For large multinational corporations, BCRs can be a solution for intra-company transfers, but they are expensive and time-consuming to get approved.
  • Derogations: GDPR allows for transfers based on explicit user consent, but this consent must be specific, informed, and freely given for each transfer. This is not practical for ongoing, systematic transfers like website analytics.

3. Implement Supplementary Measures with Server-Side Tagging

This is where technology provides a solution to a legal problem. The core issue with US surveillance is access to unencrypted personal data. By implementing supplementary measures, you can de-risk the transfer.

Server-side tagging is the single most effective technical measure you can implement.

Here’s how it works: Instead of sending data directly from a user’s browser to Google, Facebook, and other vendors in the US, you send it to a secure, proxy server that you control. This server acts as an intermediary.

  • Anonymization and Pseudonymization: On your server-side container (e.g., a Server-Side Google Tag Manager container), you can redact, hash, or remove personal identifiers before the data is forwarded to US-based endpoints. You can strip IP addresses, remove precise location data, and hash user IDs.
  • Data Control: This architecture puts you back in control. You decide exactly what data each vendor receives, ensuring you only send the minimum necessary for the task.
  • Reduced Exposure: US authorities can only access the data that is physically sent to US servers. If you’ve properly anonymized the data on your server-side proxy (which can be hosted in the EU), the data arriving in the US may no longer qualify as personal data under GDPR, neatly sidestepping the core issue of Schrems II.

This isn’t a theoretical fix. This is the practical solution that privacy-conscious businesses are actively deploying to continue using their essential marketing and analytics tools in a compliant manner.

Don’t Wait for the Next Fine

The post-Schrems II era is one of heightened scrutiny. European data protection authorities are actively investigating and penalizing companies for non-compliant data transfers. The recently announced EU-US Data Privacy Framework aims to replace the Privacy Shield, but it will undoubtedly face legal challenges, just as its predecessors did.

Relying on a constantly shifting legal landscape is not a sustainable business strategy. The only durable solution is to build a resilient, privacy-first data architecture. Server-side tagging provides that foundation. It allows you to meet your legal obligations under GDPR while still gaining the valuable insights you need to grow your business.

Stop risking your business on outdated data practices. The time to act is now.

Ready to future-proof your data strategy? Rawsoft offers a free, no-obligation Privacy Compliance Audit. We’ll help you identify your Schrems II risks and build a roadmap for a compliant, server-side data infrastructure. Schedule your free audit today.