Schrems II and Consent Management: What EU Organisations Must Do Now

Schrems II is the informal name for ECJ Case C-311/18, decided on 16 July 2020. The Court of Justice of the European Union invalidated the EU-US Privacy Shield adequacy decision and imposed strict additional requirements on Standard Contractual Clauses (SCCs) for personal data transfers to the United States and other third countries. For EU organisations using US-headquartered consent management platforms (CMPs), the ruling created an unresolved tension: the CMP may be technically compliant with cookie consent rules while simultaneously transferring EU personal data to a US entity subject to US surveillance law.

What Schrems II Changed

Before Schrems II, EU organisations transferring personal data to the United States had two primary mechanisms: Privacy Shield (adequacy decision) and Standard Contractual Clauses (SCCs). The ECJ struck down Privacy Shield entirely, finding that US surveillance law — specifically the Foreign Intelligence Surveillance Act (FISA) Section 702 and Executive Order 12333 — does not provide a level of protection essentially equivalent to the EU standard. SCCs were not invalidated outright, but the Court held that SCCs alone are not sufficient when the law of the destination country prevents compliance with them. Organisations using SCCs must now carry out a Transfer Impact Assessment (TIA) to verify that the SCCs can actually be honoured in practice.

The European Data Protection Board (EDPB) subsequently published Recommendations 01/2020 on supplementary measures, providing guidance on what "supplementary measures" — technical, contractual, or organisational — can make SCCs viable for specific transfer scenarios. For transfers to the United States, the EDPB found that, in most cases, no technical supplementary measure is sufficient for transfers to entities subject to FISA 702. The practical implication: if your CMP vendor is a US entity subject to FISA 702, and their processing falls within that statute's scope, SCCs cannot cure the compliance gap.

The CLOUD Act Dimension

The Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 compounds the Schrems II problem. Under the CLOUD Act, US law enforcement can compel US-headquartered companies to disclose customer data stored anywhere in the world — including on EU servers. A US-headquartered CMP vendor with EU data residency contractually guaranteed in your DPA may still be legally compelled to hand over data by a US court order, regardless of the storage location. The CLOUD Act Exposure Score methodology (eurocomply.app/cloud-act-scores) quantifies this risk for individual SaaS vendors on a 0–100 scale.

According to Eurostat Digital Economy data (2024), approximately 43% of EU enterprises with 10+ employees use a US-headquartered cloud service provider for at least one core business function. For CMP specifically, the market is dominated by OneTrust (US, CLOUD Act Exposure Score 72/100), Osano (US, score 91/100), and Termly (US, score 95/100) — all US entities subject to the CLOUD Act.

What Schrems II Requires for Consent Management

A consent management platform processes personal data in two distinct ways relevant to Schrems II: (1) it collects and stores consent records, which are personal data under GDPR; (2) it may fire or gate third-party tracking scripts, some of which involve cross-border data transfers in their own right. Schrems II obligations attach to both.

For the CMP itself, organisations must:

1. Identify whether the CMP vendor is subject to US surveillance law (FISA 702, EO 12333, or CLOUD Act).
2. If yes, carry out a Transfer Impact Assessment under EDPB Recommendations 01/2020.
3. Document the TIA in the Record of Processing Activities (ROPA) under GDPR Article 30.
4. Assess whether supplementary measures — encryption, pseudonymisation, data minimisation — make the transfer viable. For most US-entity CMPs, the EDPB's position is that technical measures are insufficient where the vendor needs plaintext access.
5. If the transfer cannot be made compliant, consider switching to an EU-sovereign CMP.

For third-party scripts gated by the CMP, the same analysis applies to each script that transfers personal data outside the EU. Consent does not cure a Schrems II violation: GDPR Article 49(1)(a) allows transfer on the basis of explicit consent, but only where the transfer is not systematic or large-scale — the EDPB has consistently held that CMP-based cookie consent does not qualify as Article 49 derogation for routine commercial transfers.

EU-Sovereign CMP Options

Three CMPs based entirely in the EU avoid the CLOUD Act problem:

| Vendor | HQ | CLOUD Act Exposure | From | |--------|----|--------------------|------| | Cookiebot (Usercentrics GmbH) | Munich, Germany | Sovereign (score: 18) | €9/month | | Usercentrics | Munich, Germany | Sovereign (score: 18) | €60/month | | Iubenda (Team.blue group) | Bologna, Italy | Sovereign (score: 22) | €27.99/year |

Neither Cookiebot nor Usercentrics covers AI Act, NIS2, or DORA obligations — if your organisation has EU AI product obligations or falls within NIS2 scope, you will need a broader compliance platform in addition to your CMP. EuroComply covers both consent-adjacent and AI Act obligations and is EU-incorporated (Portugal) with EU-only infrastructure.

Transfer Impact Assessments: Practical Checklist

Under EDPB Recommendations 01/2020, a TIA for a US-headquartered CMP must cover:

1. Step 1 — Map the transfer: Identify what personal data flows to the vendor, for what purpose, and under which legal basis.
2. Step 2 — Identify the transfer tool: In practice, SCCs using the 2021 EU Commission standard clauses (decision 2021/914).
3. Step 3 — Assess destination country law: Determine whether US law (FISA 702, CLOUD Act) impairs the SCCs. For most US SaaS vendors, the answer is yes.
4. Step 4 — Evaluate supplementary measures: Technical (encryption where vendor cannot access keys), contractual (warrant canary, notification obligations), organisational (data minimisation). The EDPB has found technical measures insufficient for FISA-702-scoped transfers where the vendor needs plaintext access.
5. Step 5 — Document or switch: Document the TIA outcome in the ROPA. If no viable supplementary measures exist, the lawful path is to use an EU-sovereign alternative.

The GDPR Fine Calculator can model your maximum exposure for an Article 46 transfer violation: up to €20M or 4% of global annual turnover, whichever is higher.

Frequently Asked Questions

What does Schrems II mean for consent management?

Schrems II (ECJ C-311/18, July 2020) means that EU organisations cannot lawfully transfer personal data — including consent records — to US-headquartered vendors solely on the basis of Standard Contractual Clauses, unless a Transfer Impact Assessment confirms that US law does not prevent compliance with those clauses. For most US CMP vendors subject to FISA 702 or the CLOUD Act, no supplementary technical measure is sufficient. Organisations should either carry out and document a Transfer Impact Assessment or switch to an EU-sovereign CMP.

Is Cookiebot Schrems II compliant?

Yes. Cookiebot is operated by Usercentrics GmbH, a German entity (Munich), and is not subject to the US CLOUD Act or FISA 702. It has a CLOUD Act Exposure Score of 18/100 (Sovereign tier). Consent data is processed within the EU. Cookiebot is one of the few CMPs where Standard Contractual Clauses are not required for the core consent management function, because no third-country transfer occurs for the consent record itself.

Is OneTrust Schrems II compliant?

OneTrust is US-headquartered and has a CLOUD Act Exposure Score of 72/100 (US-Dominant). It offers EU data residency on enterprise plans, but EU data residency does not eliminate CLOUD Act exposure — US law enforcement can compel disclosure regardless of storage location. EU organisations using OneTrust should carry out a Transfer Impact Assessment and document whether the transfer can be made compliant under GDPR Article 46. If the TIA concludes that no supplementary measure is sufficient, the compliant path is to use an EU-sovereign alternative.

What is a Transfer Impact Assessment (TIA) under Schrems II?

A Transfer Impact Assessment is a documented analysis that an EU data exporter must complete before relying on Standard Contractual Clauses for transfers to third countries. It assesses whether the law of the destination country allows the data importer to honour the SCCs in practice — specifically, whether surveillance laws or law enforcement access powers override the contractual protections. The EDPB's Recommendations 01/2020 set out a six-step process for completing a TIA. A TIA must be documented and kept as part of the ROPA.