[{"data":1,"prerenderedAt":497},["ShallowReactive",2],{"navigation-docs_en":3,"/en/blog/schrems-iii-cjeu-ruling-posts_en":51,"/en/blog/schrems-iii-cjeu-ruling-surround-posts_en":491},[4],{"title":5,"path":6,"stem":7,"children":8,"page":25},"En","/en","en",[9],{"title":10,"path":11,"stem":12,"children":13,"page":25},"Docs","/en/docs","en/1.docs",[14,26],{"title":15,"path":16,"stem":17,"children":18,"icon":25},"Getting Started","/en/docs/getting-started","en/1.docs/1.getting-started/1.index",[19,21],{"title":20,"path":16,"stem":17,"children":-1},"Introduction",{"title":22,"path":23,"stem":24,"children":-1},"Migration Roadmap","/en/docs/getting-started/migration-fahrplan","en/1.docs/1.getting-started/2.migration-fahrplan",false,{"title":27,"path":28,"stem":29,"children":30,"page":25},"Technologies","/en/docs/technologies","en/1.docs/2.technologies",[31,35,39,43,47],{"title":32,"path":33,"stem":34,"children":-1},"Nextcloud","/en/docs/technologies/nextcloud","en/1.docs/2.technologies/1.nextcloud",{"title":36,"path":37,"stem":38,"children":-1},"Matrix / Element","/en/docs/technologies/matrix","en/1.docs/2.technologies/2.matrix",{"title":40,"path":41,"stem":42,"children":-1},"ONLYOFFICE","/en/docs/technologies/onlyoffice","en/1.docs/2.technologies/3.onlyoffice",{"title":44,"path":45,"stem":46,"children":-1},"Ubuntu Linux","/en/docs/technologies/ubuntu","en/1.docs/2.technologies/4.ubuntu",{"title":48,"path":49,"stem":50,"children":-1},"Keycloak","/en/docs/technologies/keycloak","en/1.docs/2.technologies/5.keycloak",{"id":52,"title":53,"authors":54,"badge":60,"body":62,"date":479,"description":480,"extension":481,"faq":482,"howto":482,"image":483,"meta":485,"navigation":486,"path":487,"seo":488,"stem":489,"__hash__":490},"posts_en/en/3.blog/9.schrems-iii-cjeu-ruling.md","Schrems III – What the 2026/2027 CJEU Ruling Means for European SMEs",[55],{"name":56,"to":57,"avatar":58},"europioneer Team","https://europioneer.io",{"src":59},"/favicon.svg",{"label":61},"Legal",{"type":63,"value":64,"toc":463},"minimark",[65,69,105,108,113,124,131,135,167,171,174,200,207,211,214,266,273,277,282,304,308,329,333,348,352,355,418,433,437,457],[66,67,53],"h1",{"id":68},"schrems-iii-what-the-20262027-cjeu-ruling-means-for-european-smes",[70,71,72,76,77,80,81,84,85,88,89,94,95,99,100,104],"p",{},[73,74,75],"strong",{},"Max Schrems"," has done it twice. ",[73,78,79],{},"Safe Harbor (2015) — struck down. Privacy Shield (2020) — struck down."," Now comes the third attempt: ",[73,82,83],{},"Schrems III",", targeting the ",[73,86,87],{},"EU-US Data Privacy Framework (DPF)",". Most privacy lawyers expect a third win for the plaintiffs. The situation is sharpened by the ",[90,91,93],"a",{"href":92},"/en/blog/cloud-act-2026","CLOUD Act",", the new ",[90,96,98],{"href":97},"/en/blog/nis2-gdpr-microsoft-paradox","NIS2 obligations",", and the ",[90,101,103],{"href":102},"/en/blog/bsi-it-grundschutz-microsoft-365","BSI IT-Grundschutz incompatibilities"," with Microsoft 365.",[70,106,107],{},"What does that mean for your business?",[109,110,112],"h2",{"id":111},"whats-at-stake","What's at stake?",[70,114,115,116,119,120,123],{},"The ",[73,117,118],{},"EU-US Data Privacy Framework"," is the ",[73,121,122],{},"third attempt"," by the European Commission to create a legal framework for transatlantic data transfers after the first two failed.",[70,125,126,127,130],{},"Schrems' central argument: the DPF doesn't change the underlying problem — ",[73,128,129],{},"US intelligence services still have access"," to personal data of EU citizens under FISA Section 702 and Executive Order 12333. Trump 2.0 has only expanded these powers.",[109,132,134],{"id":133},"why-the-plaintiffs-have-strong-odds","Why the plaintiffs have strong odds",[136,137,138,145,155,161],"ol",{},[139,140,141,144],"li",{},[73,142,143],{},"Structural argument:"," The DPF is built on US promises, not legislative change",[139,146,147,150,151,154],{},[73,148,149],{},"Trump factor:"," The second Trump administration politicised and hollowed out the ",[73,152,153],{},"Privacy and Civil Liberties Oversight Board (PCLOB)"," in 2025 — a pillar of the DPF",[139,156,157,160],{},[73,158,159],{},"Precedent:"," The CJEU ruled in strong terms in Schrems I and II; reversing course would be hard to justify",[139,162,163,166],{},[73,164,165],{},"Advocate General signals:"," Early opinions lean towards the plaintiffs",[109,168,170],{"id":169},"what-happens-after-a-ruling-in-favour-of-the-plaintiffs","What happens after a ruling in favour of the plaintiffs?",[70,172,173],{},"The choreography is familiar from Schrems II:",[136,175,176,182,188,194],{},[139,177,178,181],{},[73,179,180],{},"Adequacy decision invalidated"," — with immediate effect",[139,183,184,187],{},[73,185,186],{},"Transition period"," — likely 3–6 months",[139,189,190,193],{},[73,191,192],{},"Standard Contractual Clauses (SCCs)"," with additional safeguards become the fallback — but DPAs scrutinise harder",[139,195,196,199],{},[73,197,198],{},"Data exports to the US"," become very difficult in practice",[70,201,202,203,206],{},"Concretely: Microsoft 365, Google Workspace, AWS, Salesforce, Slack, Zoom become ",[73,204,205],{},"even more legally questionable"," than today.",[109,208,210],{"id":209},"real-fine-exposure","Real fine exposure",[70,212,213],{},"Post-Schrems-II precedents:",[215,216,217,230],"table",{},[218,219,220],"thead",{},[221,222,223,227],"tr",{},[224,225,226],"th",{},"Case",[224,228,229],{},"Fine",[231,232,233,242,250,258],"tbody",{},[221,234,235,239],{},[236,237,238],"td",{},"Meta (Ireland, 2023)",[236,240,241],{},"€1.2 B",[221,243,244,247],{},[236,245,246],{},"Amazon (Luxembourg, 2021)",[236,248,249],{},"€746 M",[221,251,252,255],{},[236,253,254],{},"WhatsApp (Ireland, 2021)",[236,256,257],{},"€225 M",[221,259,260,263],{},[236,261,262],{},"H&M (Hamburg, 2020)",[236,264,265],{},"€35 M",[70,267,268,269,272],{},"SMEs are exposed too: several fines in the ",[73,270,271],{},"low to mid six figures"," have been issued for using US cloud services without a defensible legal basis.",[109,274,276],{"id":275},"what-to-do-now","What to do now",[278,279,281],"h3",{"id":280},"immediately-before-the-ruling","Immediately (before the ruling)",[136,283,284,290,297],{},[139,285,286,289],{},[73,287,288],{},"Data-flow audit:"," Which personal data goes into which US services?",[139,291,292,293,296],{},"Document a ",[73,294,295],{},"Transfer Impact Assessment (TIA)"," for each US service",[139,298,299,300,303],{},"Develop a ",[73,301,302],{},"fallback plan"," for your critical tools",[278,305,307],{"id":306},"mid-term-12-months","Mid-term (12 months)",[136,309,311,317,323],{"start":310},4,[139,312,313,316],{},[73,314,315],{},"Pilot an EU alternative"," — one department, one tool at a time",[139,318,319,322],{},[73,320,321],{},"Budget for migration"," — emergency migration after the ruling costs 3–5x more",[139,324,325,328],{},[73,326,327],{},"Renegotiate DPA clauses"," with US vendors (often unsuccessful, but document the attempt)",[278,330,332],{"id":331},"structural","Structural",[136,334,336,342],{"start":335},7,[139,337,338,341],{},[73,339,340],{},"EU-first policy"," — new tools are evaluated from EU vendors first, US only where gaps exist",[139,343,344,347],{},[73,345,346],{},"Sovereignty as a compliance requirement"," — write it into supplier contracts",[109,349,351],{"id":350},"tools-ready-to-deploy-today","Tools ready to deploy today",[70,353,354],{},"What europioneer sets up for you:",[356,357,358,364,370,379,388,394,400,406,412],"ul",{},[139,359,360,363],{},[73,361,362],{},"Email & calendar:"," Mailcow / Stalwart + Nextcloud",[139,365,366,369],{},[73,367,368],{},"Office suite:"," ONLYOFFICE / Collabora",[139,371,372,375,376],{},[73,373,374],{},"File storage:"," ",[90,377,32],{"href":378},"/en/blog/nextcloud-vs-onedrive-sharepoint",[139,380,381,375,384],{},[73,382,383],{},"Team chat:",[90,385,387],{"href":386},"/en/blog/microsoft-teams-alternative","Element/Matrix",[139,389,390,393],{},[73,391,392],{},"Video calls:"," Element Call / Jitsi / BigBlueButton",[139,395,396,399],{},[73,397,398],{},"Password manager:"," Vaultwarden",[139,401,402,405],{},[73,403,404],{},"Single sign-on:"," Keycloak",[139,407,408,411],{},[73,409,410],{},"CRM:"," EspoCRM, SuiteCRM, Odoo",[139,413,414,417],{},[73,415,416],{},"Project management:"," OpenProject",[70,419,420,421,424,425,428,429,432],{},"All hosted in ",[73,422,423],{},"Germany",", fully ",[73,426,427],{},"GDPR-compliant",", ",[73,430,431],{},"no CLOUD Act",".",[109,434,436],{"id":435},"conclusion","Conclusion",[70,438,439,440,444,445,448,449,452,453,432],{},"Schrems III isn't a question of ",[441,442,443],"em",{},"if",", but ",[441,446,447],{},"when",". Continuing to rely on US cloud in 2026 without a plan is ",[73,450,451],{},"knowingly running a compliance risk",". Migrating buys legal certainty — and ",[90,454,456],{"href":455},"/en/blog/microsoft-vs-opensource","in most cases saves money too",[70,458,459],{},[90,460,462],{"href":461},"/en/contact?subject=Schrems-III","Book a free Schrems III preparation call →",{"title":464,"searchDepth":465,"depth":465,"links":466},"",2,[467,468,469,470,471,477,478],{"id":111,"depth":465,"text":112},{"id":133,"depth":465,"text":134},{"id":169,"depth":465,"text":170},{"id":209,"depth":465,"text":210},{"id":275,"depth":465,"text":276,"children":472},[473,475,476],{"id":280,"depth":474,"text":281},3,{"id":306,"depth":474,"text":307},{"id":331,"depth":474,"text":332},{"id":350,"depth":465,"text":351},{"id":435,"depth":465,"text":436},"2026-05-12T00:00:00.000Z","Max Schrems has filed his third lawsuit against the EU-US Data Privacy Framework. Most observers expect a third ruling in favour of the plaintiffs. Here's what companies should do now.","md",null,{"src":484},"https://images.unsplash.com/photo-1589829545856-d10d557cf95f?w=1200&q=80",{},true,"/en/blog/schrems-iii-cjeu-ruling",{"title":53,"description":480},"en/3.blog/9.schrems-iii-cjeu-ruling","uMWJ2cDZ74PDGEBKlIlN9FWab2z9GXw6zJOEeTy4nGY",[492,482],{"title":493,"path":494,"stem":495,"description":496,"children":-1},"Microsoft 365 in Schools – Why German States Are Pulling Out","/en/blog/microsoft-365-schools","en/3.blog/8.microsoft-365-schools","Data-protection authorities and education ministries are increasingly rejecting Microsoft 365 in schools. What school boards and parents need to know in 2026 — and what alternatives exist.",1779405610290]