Schrems II

Ainode Privacy Glossary · Auditor: Tomás Maria Vaz de Noronha

In short. Schrems II is the 2020 ruling by the European Court of Justice (Case C-311/18) that invalidated the EU-US Privacy Shield framework. The court held that US surveillance laws (notably FISA section 702 and Executive Order 12333) provided insufficient safeguards for personal data transferred from the EU to the US. The practical consequence: any EU-to-US data transfer now requires either the EU-US Data Privacy Framework (DPF, since 2023) or Standard Contractual Clauses with Transfer Impact Assessments. Wearables that send health/location/voice data to US-only servers without these tools are at risk.

The ruling in plain English

The European Court of Justice said that EU citizens' data sent to the US is exposed to US government surveillance in ways inconsistent with EU fundamental rights. Therefore the Privacy Shield (the framework that previously legitimised most EU-US transfers) was invalid. Companies still wanting to transfer data needed alternative legal mechanisms.

Subsequent developments — DPF (2023)

In 2023 the European Commission adopted a new adequacy decision for the EU-US Data Privacy Framework (DPF). Companies that self-certify under DPF can transfer EU data to the US under that framework. However, DPF is being challenged in court (a Schrems III case is anticipated) and many privacy advocates consider it transitional rather than final.

Implications for wearable buyers

A US-headquartered wearable manufacturer (Whoop, Apple, Fitbit/Google, etc.) likely either self-certifies under DPF or relies on SCCs. The buyer rarely sees this disclosure explicitly. Ainode's position: where the data flow is documented (Tier C), we disclose it openly in our audits. Where the flow is hidden or undocumented, the device fails its dimension on transparency and may be downgraded.

Related entries