Schrems II: A Practical Guide for Website Operators

The July 2020 Schrems II ruling fundamentally changed how European websites can track visitors using US-based tools like Google Analytics and Facebook Pixel. After multiple EU data protection authorities declared these tools illegal and Meta received a record €1.2 billion fine, understanding this ruling isn't optional—it's essential for compliance. While the 2023 EU-US Data Privacy Framework provides temporary relief, ongoing legal uncertainty means businesses must understand both the problem and potential solutions, including server-side tracking and data localization.

What happened in Schrems II?

On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18). The court made two critical decisions that reshaped international data transfers overnight.

First, the court invalidated the EU-US Privacy Shield with immediate effect. This adequacy framework had allowed over 5,000 US companies to legally receive personal data from the EU through self-certification. The court found that US surveillance laws—specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333—permitted disproportionate government access to EU citizens' data without adequate safeguards or effective judicial remedies.

Second, the court upheld Standard Contractual Clauses (SCCs) but imposed strict new obligations. Companies can no longer simply sign SCCs and assume compliance. They must now conduct case-by-case Transfer Impact Assessments, evaluate whether the destination country's laws allow adequate protection, implement supplementary technical and organizational measures, and continuously monitor legal developments.

The core legal principle is "essentially equivalent protection"—any data transfer mechanism must ensure EU citizens' data receives protection substantially similar to what the GDPR and EU Charter of Fundamental Rights guarantee within Europe.

Why Privacy Shield failed (and what that means for you)

Privacy Shield collapsed because it couldn't protect against US intelligence surveillance. The court identified fatal flaws: US surveillance programs weren't limited to what's "strictly necessary," lacked clear scope limitations, and gave EU citizens no meaningful way to challenge government data access. The Privacy Shield Ombudsperson mechanism failed because it wasn't truly independent—the Ombudsperson reported to the Secretary of State and couldn't issue binding decisions against intelligence agencies.

This matters because the same surveillance laws that doomed Privacy Shield still apply to US tech companies today. Google, Meta (Facebook), Microsoft, and virtually all major US cloud and analytics providers fall under FISA 702's definition of "electronic communications service providers," meaning US intelligence agencies can compel them to disclose EU citizens' personal data. Standard contractual clauses can't bind government authorities, creating a protection gap that regulators now scrutinize intensely.

The enforcement wave: Google Analytics and Facebook Pixel under fire

Following Schrems II, privacy advocate Max Schrems' organization NOYB filed 101 complaints across EU countries challenging Google Analytics use. The results fundamentally changed the analytics landscape:

Austria led the charge in December 2021 and April 2022, declaring Google Analytics violated GDPR Article 44 because SCCs couldn't protect against US surveillance. France followed in February 2022, ordering a website operator to stop using Google Analytics within one month. Italy confirmed the pattern in June 2022, finding that even IP address anonymization was insufficient because Google could enrich data through additional identifiers like ClientIDs and device information.

The first financial penalties arrived in July 2023 when Sweden fined Tele2 approximately €1 million and CDON €25,000 for Google Analytics use. These cases established that declarations of illegality had real teeth.

Meta faced even harsher consequences. In May 2023, Ireland's Data Protection Commission, following a binding decision from the European Data Protection Board, imposed a record-breaking €1.2 billion fine for continuing systematic data transfers to the US after Schrems II. The decision included orders to suspend future transfers within five months and cease unlawful processing of already-transferred data within six months.

The consistent finding across all these cases: IP addresses and tracking identifiers constitute personal data, US surveillance laws present unavoidable risks, and SCCs with standard technical measures aren't sufficient protection.

Standard Contractual Clauses in the post-Schrems II world

SCCs survived Schrems II but with dramatically increased complexity. The European Data Protection Board's Recommendations 01/2020 established a six-step roadmap that transforms SCCs from simple contracts into comprehensive risk assessment frameworks:

You must map all data transfers to third countries, including remote access scenarios. Verify your legal transfer mechanism under GDPR Article 46. Assess the destination country's legal framework—not just written laws but actual government practices. Identify problematic legislation that might prevent SCC compliance. Implement supplementary measures if needed—technical safeguards like encryption, organizational policies, or enhanced contractual commitments. Re-evaluate regularly as laws and practices evolve.

The crucial concept is "supplementary measures"—additional protections beyond contractual clauses. Technical measures might include end-to-end encryption where only EU-based entities hold decryption keys, pseudonymization that prevents identification, or data splitting across independent processors. Organizational measures include strict access controls, enhanced audit rights, and transparency commitments about government data requests.

However, the EDPB acknowledges that in some cases, no supplementary measures can provide adequate protection. When government authorities have direct access to unencrypted data for mass surveillance purposes—precisely the situation with FISA 702—transfers may simply be unlawful regardless of contractual or technical measures.

How server-side tracking addresses Schrems II challenges

This is where server-side tracking becomes crucial for compliance strategies. Unlike traditional client-side tracking where JavaScript in users' browsers directly sends data to US servers, server-side tracking processes data on your own servers first, giving you control over what crosses borders.

Here's how it works: When a user visits your website, tracking data is sent to your server (ideally hosted in the EU). Your server processes this data, applies privacy controls, and only then—if necessary—forwards filtered, minimized, or pseudonymized data to analytics platforms. This architecture enables several compliance advantages:

Data minimization at the source. You can strip personal identifiers before any US transfer occurs. Remove or hash IP addresses, eliminate device fingerprinting data, aggregate information to remove individual identifiability, or filter out sensitive categories entirely.

Geographic data residency. By hosting your tracking infrastructure in EU data centers, raw user data never leaves European jurisdiction. Some implementations keep all personal data EU-resident while sending only anonymous aggregate statistics to US analytics platforms.

Enhanced control over data flows. You determine exactly what data crosses borders and when, can implement real-time filtering based on user consent status, maintain detailed logs for accountability, and can immediately cease transfers if legal requirements change.

Practical implementation matters. Google Analytics 4 supports server-side implementation through Google Tag Manager Server Side containers hosted on your infrastructure. Meta offers Conversions API for server-side event tracking. Multiple middleware solutions from EU providers help implement server-side tracking while maintaining marketing functionality.

Important caveat: server-side tracking alone doesn't guarantee compliance. If you ultimately transfer identifiable personal data to US servers, you still face Schrems II issues. Server-side tracking works best combined with robust anonymization, data minimization, and ideally EU-based analytics alternatives that never transfer data to surveillance-law jurisdictions.

The 2023 Data Privacy Framework: Temporary solution or third strike?

On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework, the third attempt at transatlantic data transfer regulation after Safe Harbor (invalidated 2015) and Privacy Shield (invalidated 2020). This framework theoretically resolves Schrems II concerns through new US commitments.

Key improvements include: President Biden's Executive Order 14086 requiring US intelligence data access be "necessary and proportionate," establishing the Data Protection Review Court (DPRC) as an independent redress mechanism for EU citizens, and enhanced oversight through the Privacy and Civil Liberties Oversight Board (PCLOB). US companies can self-certify compliance with DPF principles, appearing on an official list and allowing legal data transfers.

However, the framework faces significant vulnerabilities. It's based on an Executive Order rather than Congressional legislation, meaning a future president could revoke it. The underlying surveillance laws—FISA 702 and EO 12333—remain unchanged. Privacy advocates including Max Schrems announced plans to challenge the framework in court, anticipating a "Schrems III" case that could reach the CJEU by 2025-2026.

Crisis deepened in January 2025 when President Trump's administration dismissed all three Democratic members of PCLOB, eliminating the board's quorum and halting its oversight functions. The European Commission's adequacy decision mentioned PCLOB 31 times as a critical oversight mechanism; its sudden dysfunction undermines the framework's credibility. Norway's data protection authority warned businesses to prepare for potential DPF invalidation, while European Parliament members questioned whether the Commission should suspend the adequacy decision.

Currently, companies can rely on DPF if their US vendors are certified, but prudent organizations are developing contingency plans for potential invalidation. Given the pattern—Safe Harbor lasted 15 years, Privacy Shield lasted 4 years—the Data Privacy Framework's longevity remains uncertain.

Actionable compliance strategies for website operators

Conduct a Transfer Impact Assessment immediately. Map every tool and service that processes EU visitor data. Identify which transfer data to third countries, particularly the US. For each transfer using SCCs or DPF, evaluate destination country laws and practices, assess risks to your specific data types and processing activities, determine if supplementary measures can provide adequate protection, and document your entire assessment process. Data protection authorities increasingly expect detailed TIA documentation during audits.

Evaluate EU-based alternatives to US tracking tools. Consider privacy-focused analytics like Matomo (self-hosted in EU), Plausible Analytics (EU-hosted by default), Fathom Analytics (Canadian company with EU hosting), or Pirsch Analytics (German-based). These tools often provide core functionality—traffic sources, page views, conversion tracking—without transferring personal data to surveillance-law jurisdictions.

If maintaining US-based tools, implement defense-in-depth strategies. Migrate to server-side implementations where possible, enabling data filtering before border crossing. Deploy robust consent management platforms ensuring users explicitly consent to international transfers with clear risk disclosure. Verify vendors have DPF certification and maintain current status. Implement maximum data minimization—collect only essential information, use shortest retention periods, anonymize wherever possible. Maintain detailed documentation of your legal basis, risk assessment, and technical measures.

Prepare for regulatory scrutiny and framework collapse. Create contingency plans for rapid migration to EU alternatives if DPF is invalidated. Establish regular monitoring processes for legal developments affecting your data flows. Engage privacy counsel for complex assessments—the cost of proper legal review is far less than enforcement action. Consider cyber insurance covering GDPR fines and breach costs.

Monitor enforcement trends in your jurisdiction. Some EU countries aggressively enforce (Austria, France, Sweden), while others take softer approaches. However, GDPR's cross-border enforcement mechanisms mean any EU data protection authority can potentially investigate your practices if EU citizens in their jurisdiction are affected.

The bottom line for businesses

Schrems II didn't stop EU-US data flows, but it made them legally complex and risky. The days of dropping Google Analytics code on your site without legal consideration are definitively over. Multiple data protection authorities have declared standard implementations illegal, and enforcement is escalating from warnings to seven-figure fines.

Server-side tracking represents a valuable compliance tool when implemented correctly—giving you control over data flows, enabling minimization and filtering, and supporting geographic data residency. Combined with EU-based hosting and privacy-focused alternatives, it can form part of a robust compliance strategy that balances marketing needs with legal requirements.

However, no technical measure alone guarantees compliance. You need comprehensive approaches combining technology (server-side tracking, encryption, pseudonymization), legal mechanisms (properly assessed SCCs or verified DPF certification), organizational policies (data minimization, retention limits, access controls), and operational vigilance (continuous monitoring, regular reassessment, adaptation to legal changes).

The legal landscape remains fundamentally unstable. With the Data Privacy Framework facing potential "Schrems III" challenge, PCLOB oversight suspended, and increased enforcement activity, prudent website operators should implement compliance measures beyond minimum requirements and maintain flexibility to adapt quickly as regulations evolve. The question isn't whether to address Schrems II compliance, but how comprehensively and how soon.