Schrems III – What the 2026/2027 CJEU Ruling Means for European SMEs
Schrems III – What the 2026/2027 CJEU Ruling Means for European SMEs
Max Schrems has done it twice. Safe Harbor (2015) — struck down. Privacy Shield (2020) — struck down. Now comes the third attempt: Schrems III, targeting the EU-US Data Privacy Framework (DPF). Most privacy lawyers expect a third win for the plaintiffs. The situation is sharpened by the CLOUD Act, the new NIS2 obligations, and the BSI IT-Grundschutz incompatibilities with Microsoft 365.
What does that mean for your business?
What's at stake?
The EU-US Data Privacy Framework is the third attempt by the European Commission to create a legal framework for transatlantic data transfers after the first two failed.
Schrems' central argument: the DPF doesn't change the underlying problem — US intelligence services still have access to personal data of EU citizens under FISA Section 702 and Executive Order 12333. Trump 2.0 has only expanded these powers.
Why the plaintiffs have strong odds
- Structural argument: The DPF is built on US promises, not legislative change
- Trump factor: The second Trump administration politicised and hollowed out the Privacy and Civil Liberties Oversight Board (PCLOB) in 2025 — a pillar of the DPF
- Precedent: The CJEU ruled in strong terms in Schrems I and II; reversing course would be hard to justify
- Advocate General signals: Early opinions lean towards the plaintiffs
What happens after a ruling in favour of the plaintiffs?
The choreography is familiar from Schrems II:
- Adequacy decision invalidated — with immediate effect
- Transition period — likely 3–6 months
- Standard Contractual Clauses (SCCs) with additional safeguards become the fallback — but DPAs scrutinise harder
- Data exports to the US become very difficult in practice
Concretely: Microsoft 365, Google Workspace, AWS, Salesforce, Slack, Zoom become even more legally questionable than today.
Real fine exposure
Post-Schrems-II precedents:
| Case | Fine |
|---|---|
| Meta (Ireland, 2023) | €1.2 B |
| Amazon (Luxembourg, 2021) | €746 M |
| WhatsApp (Ireland, 2021) | €225 M |
| H&M (Hamburg, 2020) | €35 M |
SMEs are exposed too: several fines in the low to mid six figures have been issued for using US cloud services without a defensible legal basis.
What to do now
Immediately (before the ruling)
- Data-flow audit: Which personal data goes into which US services?
- Document a Transfer Impact Assessment (TIA) for each US service
- Develop a fallback plan for your critical tools
Mid-term (12 months)
- Pilot an EU alternative — one department, one tool at a time
- Budget for migration — emergency migration after the ruling costs 3–5x more
- Renegotiate DPA clauses with US vendors (often unsuccessful, but document the attempt)
Structural
- EU-first policy — new tools are evaluated from EU vendors first, US only where gaps exist
- Sovereignty as a compliance requirement — write it into supplier contracts
Tools ready to deploy today
What europioneer sets up for you:
- Email & calendar: Mailcow / Stalwart + Nextcloud
- Office suite: ONLYOFFICE / Collabora
- File storage: Nextcloud
- Team chat: Element/Matrix
- Video calls: Element Call / Jitsi / BigBlueButton
- Password manager: Vaultwarden
- Single sign-on: Keycloak
- CRM: EspoCRM, SuiteCRM, Odoo
- Project management: OpenProject
All hosted in Germany, fully GDPR-compliant, no CLOUD Act.
Conclusion
Schrems III isn't a question of if, but when. Continuing to rely on US cloud in 2026 without a plan is knowingly running a compliance risk. Migrating buys legal certainty — and in most cases saves money too.