Schrems II

Schrems II (CJEU Case C-311/18, July 2020) invalidated the EU-US Privacy Shield and confirmed that controllers must verify the destination country provides essentially equivalent protection before transferring personal data outside the European Economic Area. Where it does not, supplementary measures must be applied.