Schrems II is the 2020 ruling from the EU Court of Justice that invalidated the EU-US Privacy Shield and changed the operational standard for cross-border data transfers under GDPR. The case is named after Max Schrems, the Austrian privacy activist whose complaint against Facebook produced both Schrems I (which killed Safe Harbor in 2015) and Schrems II (which killed Privacy Shield five years later).
The case did two things that matter for in-house teams. First, it killed Privacy Shield as a transfer mechanism overnight, which forced thousands of US-bound data flows back to Standard Contractual Clauses. Second, and more lasting, it held that the SCCs by themselves are not enough. Exporters have to assess the receiving country's surveillance law, determine whether it provides "essentially equivalent" protection to GDPR, and add supplementary measures (encryption, pseudonymization, contractual restrictions) where it does not.
That assessment is the Transfer Impact Assessment. Schrems II is why TIAs exist as an operational requirement. The European Data Protection Board has issued guidance on how to do them, and most multinationals have settled into a pattern: a one-time assessment per receiving country with a refresh cadence and a documented record kept alongside the DPA.
The 2023 EU-US Data Privacy Framework gives EU-to-US transfers an adequacy decision again, which removes the Schrems II requirement for participants in the framework. That said, the underlying principle Schrems II established (assess third-country law before relying on SCCs) still applies to every other non-adequate jurisdiction. Practically, every modern privacy program treats Schrems II as the floor, not the ceiling.