What is Schrems II (CJEU C-311/18)?

The CJEU C-311/18 (Schrems II) ruling of 16 July 2020 reformed EU data-transfer law. Origin: Maximilian Schrems' complaint against Facebook Ireland → Facebook USA invoking the Charter of Fundamental Rights. Core rulings: (1) The EU-US Privacy Shield (then the basis for US data transfers) is immediately invalid — insufficient protection against US surveillance (FISA 702 + EO 12333). (2) SCCs remain valid, but users must assess per case whether the destination country offers additional safeguards. SCC alone not enough? Then additional measures needed or stop the transfer. Effect: in the Netherlands concrete signals — AP since 2022 has investigated companies still using Google Analytics (case similar to France + Austria). Many businesses switched to self-hosted analytics (Matomo, Plausible) or EU-only cloud providers. Transfer Impact Assessment (TIA): mandatory part since Schrems II. Assess: destination country surveillance law, availability of judicial review, and which supplementary measures are needed. Schrems III? The 2023 EU-US Data Privacy Framework succeeds Privacy Shield. NOYB (Schrems' NGO) has announced it will also challenge this — ruling expected ~2026-2027. Practical for Dutch SMBs: if you use US SaaS tools (HubSpot, Mailchimp, Slack), check DPA + SCCs + TIA. Safest: choose EU-only alternative where possible.