Schrems III is coming: What a US ruling means for data transfers by European companies

- The EU-US Data Privacy Framework is on shaky ground: A US Supreme Court ruling has overturned the independence of the US Federal Trade Commission (FTC), thereby undermining the foundation for transatlantic data transfers.
- This affects almost every European company that uses US tools such as Microsoft 365, Google Workspace, Salesforce, or AWS and transfers personal data to the United States in the process.
- The DPF remains formally valid for now, but experience shows that a revocation process takes two to three years. Taking action now helps you avoid future time pressure and secures a strategic advantage.
- Standard Contractual Clauses (SCCs) remain an alternative, but they require a separate Transfer Impact Assessment (TIA) for every single data transfer—which means significantly more effort than before.
- Digital sovereignty is becoming a competitive advantage: Companies that document their data transfers now and evaluate European alternatives are legally protected and gain a valuable differentiator.
Background: Why is the transatlantic data privacy framework at risk?
Since July 2023, the EU-US Data Privacy Framework (DPF) has governed data transfers between the EU and the US. It is already the third attempt at a transatlantic data protection agreement: Safe Harbor failed in 2015 before the European Court of Justice, which also invalidated its successor, the Privacy Shield, in 2020. At the time, the court ruled that US authorities had excessive access to European data and that affected individuals had little legal recourse.
The DPF was intended to close these gaps. It forms the legal basis for almost every US data transfer in Europe. To date, the US Federal Trade Commission (FTC) has monitored, as an independent agency, whether US companies comply with European data protection requirements.
The importance of the FTC's independence is highlighted by a look at the European Commission's adequacy decision: it is mentioned exactly 259 times. However, the US Supreme Court has now ruled that the FTC no longer needs to be independent of the President.
What does the FTC ruling say?
In its ruling in Trump v. Slaughter the court decided that the US President may dismiss FTC commissioners at any time and without providing a reason. The FTC is therefore no longer an independent agency, but rather politically controllable.
Max Schrems, the Austrian privacy activist who already brought down Safe Harbor and Privacy Shield before the ECJ, and his organization noyb have already called on the European Commission to revoke the adequacy decision. Since this would be the third fundamental case before the ECJ led by Schrems, it is being referred to as Schrems III.
What does Schrems III mean for companies?
Companies do not need to expect immediate fines if they continue to use US tools. The DPF is still formally in effect, and the adequacy decision remains valid until the EU Commission revokes it or the ECJ declares it void. Experience shows this process takes two to three years.
- What remains in effect during this time: Not every data transfer to the US is automatically problematic. The GDPR only applies to personal data, i.e., information that can be linked to a specific individual. Anonymized or purely business-related data can continue to be transferred. Individual, clearly justified transfers also remain permissible in exceptional cases, such as when a contract with the data subject makes the transfer mandatory.
- What becomes legally risky, however: Companies that process customer data, employee data, or other personal information via US services on an ongoing basis must expect consequences in the future.
Are Standard Contractual Clauses also affected?
Many companies work in parallel with the DPF using Standard Contractual Clauses (SCCs) as a safeguard. These contractual clauses, provided by the EU Commission, are intended to contractually guarantee adequate data protection. They serve as a fallback optionwhen no adequacy decision exists.
The problem: SCCs require an internal risk assessment, a Transfer Impact Assessment (TIA). This allows companies to evaluate whether the level of data protection in the destination country is sufficient. Anyone who can no longer rely on the DPF in the future and switches to SCCs instead must conduct such an assessment for every affected data transfer.
This means: Companies working with SCCs will likely need to Transfer Impact Assessments in the future.
Which tools are specifically affected by the new FTC ruling?
Practically every company that uses US software is potentially affected by Schrems III:
- Microsoft 365 (Teams, SharePoint, OneDrive)
- Google Workspace (Gmail, Drive, Meet)
- Salesforce
- Amazon Web Services (AWS)
- Other US cloud services where personal data is transferred to the US
What should companies do now?
The recent Schrems rulings have shown that changes to the legal framework for US data transfers in Europe can mean a massive increase in administrative burden for hundreds of thousands of companies. Affected companies must, for example, implement complex individual regulations before using new tools and sometimes live in legal uncertainty for years.
Acting early provides a real advantage. Proliance recommends the following immediate measures:
- Document data transfers thoroughly: What personal data is being transferred to the US? To which providers? On what legal basis? EA data protection platform like Proliance 360 simplifies the seamless documentation of data transfers.
- Prepare for more TIAs: If the DPF is invalidated and data transfers must be secured using SCCs, more TIAs will need to be conducted in the future.
- Evaluate alternatives: Are there European alternatives to the US tools currently in use? Which data could be migrated to EU servers? For cloud services, the SEAL framework provides guidance on which providers are independent of the US.
- Involve your Data Protection Officer: Internal or external data protection officers should be actively involved in assessing the situation.
- Monitor developments: Noyb has announced a legal challenge, meaning the CJEU is already looking into the DPF. The situation can change at any time.
Conclusion: Stay agile through preparation and digital sovereignty
Following Safe Harbor and the Privacy Shield, the Data Privacy Framework is now also on shaky ground. Those who critically evaluate their software stack, document data transfers, and explore alternatives now will be on the safe side legally and gain a strategic advantage: companies that improve their digital sovereignty gain a valuable competitive edge.
Alexander Ingelheim, co-founder and CEO of Proliance, says: "Anyone who doesn't start documenting their data transfers and exploring alternatives now will be under time pressure in 12 to 18 months. Digital sovereignty thus gains another advantage."
The data protection experts at Proliance are happy to advise you and show you concrete options for action before time runs out.
Still have questions? We have the answers.
A June 2026 U.S. Supreme Court ruling has stripped the U.S. Federal Trade Commission (FTC) of its independence, effectively undermining the foundation of the EU-U.S. Data Privacy Framework. This decision impacts nearly every company that utilizes U.S.-based tools such as Microsoft 365, Google Workspace, or AWS. Proliance is here to help you assess your data transfers and ensure they remain legally compliant.
No, the Data Privacy Framework remains formally in effect. Experience shows that a revocation typically takes two to three years. Nevertheless, companies should act now: document data transfers and evaluate alternatives. Proliance 360 simplifies the comprehensive documentation of your data transfers.
SCCs remain a solid alternative to the DPF in principle. However, while the DPF applies broadly to certified US providers, SCCs require a separate TIA for every individual data transfer. This means that if you use ten US tools, you will need to conduct ten separate assessments in the future. The data protection experts at Proliance are happy to advise you on how to keep this effort to a minimum.
Do you have further questions on this topic? Our experts will be happy to advise you free of charge.




.avif)









