Geopolitical

EU Data Sovereignty Post-Schrems II: What PE Firms Need to Know

Simone Nogara

July 2025 · 7 min read

Share

The CJEU’s Schrems II^[1] ruling exposed a structural incompatibility between European data protection values and US surveillance architecture. For Private Equity firms managing cross-jurisdictional portfolios, the consequences reach into the operational fabric of every portfolio company processing European personal data — and into the due diligence frameworks that should catch these exposures before acquisition.

The Schrems II Decision: What Actually Changed

On 16 July 2020, the CJEU invalidated the EU-US Privacy Shield, finding that US surveillance programmes under FISA Section 702 and Executive Order 12333 were incompatible with the fundamental rights of EU data subjects. The Privacy Shield — the primary legal basis for transatlantic data transfers since 2016 — ceased to exist overnight.

The court did not invalidate Standard Contractual Clauses outright but imposed a critical new requirement: data exporters must assess case-by-case whether the recipient country provides essentially equivalent protection. Where it does not, supplementary measures must be implemented or the transfer must cease. The EDPB subsequently clarified that technical safeguards like strong encryption with exporter-controlled keys may suffice, while purely organisational or contractual measures are unlikely to where recipient-country law grants government access to personal data.

Transfer Impact Assessments: The Hidden Obligation

The practical consequence is the Transfer Impact Assessment — a substantive analysis of the recipient country’s legal framework, the transfer circumstances, data volume, and applicable supplementary measures. For a Private Equity firm with twenty portfolio companies, each with its own technology stack and data flows, the aggregate burden is significant.

Most TIAs for US transfers reach an uncomfortable conclusion: FISA Section 702 and EO 12333 allow the US government to compel access to personal data held by US cloud providers, even data stored in European data centres. Contractual commitments to resist carry limited weight against compulsory US legal process. Regulators expect current, producible TIAs — a requirement many mid-market companies lack the capability to fulfil.

The EU-US Data Privacy Framework: A Partial Solution

The July 2023 DPF adequacy decision rests on Executive Order 14086, which introduced necessity and proportionality concepts into US intelligence collection and established a Data Protection Review Court. It improves on the Privacy Shield but carries structural limitations.

First, the DPF rests on an executive order, not legislation — a future administration could revoke it without congressional approval. Second, the DPRC (judges appointed by the US Attorney General, no judicial appeal right) is not a court in the European sense. Third, noyb filed a legal challenge shortly after adoption; a potential Schrems III ruling from the CJEU could arrive within the next two to three years. The DPF provides a current legal basis for transfers but should not be treated as a permanent settlement. Any architecture depending exclusively on its continued validity is building on shifting foundations.

The CLOUD Act: A Parallel Threat Vector

The 2018 CLOUD Act^[2] enables US law enforcement to compel data disclosure from US-headquartered providers regardless of where data is physically stored. A provider like Microsoft or AWS can be served with a warrant for data in European data centres. Though a different mechanism than FISA (law enforcement vs. intelligence), the practical effect is identical: data entrusted to a US provider is potentially accessible to US authorities.

The DPF adequacy decision does not address the CLOUD Act. European DPAs — including the CNIL and BfDI — have published guidance indicating that reliance on US-headquartered providers requires heightened supplementary measures to account for this additional risk.

Practical Strategies for PE Firms

Strategic options organise into three tiers of European data sovereignty commitment.

Tier 1: Sovereign Infrastructure. Migrate critical processing to EU-sovereign cloud providers (OVHcloud, IONOS, Infomaniak) — headquartered in the EU, subject exclusively to EU law, structurally isolated from US jurisdictional reach. Eliminates CLOUD Act and FISA risks but requires architectural investment and may trade off service maturity.

Tier 2: Data Localisation with Enhanced Controls. Maintain US-headquartered providers with comprehensive supplementary measures: EU-only data processing, controller-managed encryption keys, contractual prohibitions on foreign government compliance without notification, and anomalous access monitoring. Reduces risk substantially but does not eliminate CLOUD Act exposure.

Tier 3: Hybrid Architecture. Sovereign infrastructure for the most sensitive data (financial records, investor communications, M&A materials, personal data of EU individuals) combined with mainstream cloud for lower-sensitivity workloads. Requires robust data classification and clear governance.

Implications for Due Diligence and Portfolio Management

Post-Schrems II data sovereignty has direct implications for investment decisions, valuations, and exits. Under the GDPR^[3], penalties for unlawful international transfers reach 4% of global turnover — a figure that should command any Investment Committee’s attention. During technical due diligence, systematically assess: where is personal data stored? Which providers are in use and where headquartered? Are TIAs current? What supplementary measures exist? Has CLOUD Act exposure been assessed?

Post-acquisition, establish portfolio-wide data sovereignty standards — not identical infrastructure, but a consistent governance framework defining acceptable transfer approaches, mandating regular TIA reviews, and establishing escalation procedures. Companies in regulated sectors should be held to the higher standard.

Looking Ahead: Preparing for Schrems III

The legal challenge to the DPF is proceeding through European courts. Private Equity firms with robust, jurisdiction-aware data architectures will be well positioned regardless of outcome. Those treating the DPF as permanent will face the same scramble that followed the Privacy Shield invalidation.

The direction of European regulatory policy is unambiguous: data sovereignty is a permanent feature, not a transient concern. The EU Data Act^[4], AI Act^[5], and digital sovereignty discussions all point toward increasing scrutiny of jurisdictional data control. For PE firms, this begins with visibility — knowing where portfolio data resides and under whose jurisdiction — and progresses through governance, technical controls, and strategic infrastructure decisions.