Schrems II & AI: practical checklist for SMEs

The Schrems II decision has created significant compliance challenges for European businesses implementing AI solutions. This practical checklist provides actionable steps for SMEs to navigate these requirements while maintaining operational efficiency.

Key Implications of Schrems II for AI Implementation

The July 2020 Schrems II ruling by the European Court of Justice invalidated the EU-US Privacy Shield and placed additional requirements on Standard Contractual Clauses (SCCs). For businesses deploying AI solutions, this creates a complex compliance landscape, especially when AI providers process data outside the EU or use non-EU cloud infrastructure.

Essential Compliance Checklist for SMEs

• Data Flow Mapping: Document all cross-border data transfers to AI vendors and third-party processors, identifying what personal data is processed and where.
• AI Vendor Assessment: Evaluate your AI provider's data processing practices, including infrastructure locations, subprocessors, and training data retention.
• Technical Safeguards: Implement data minimization, pseudonymization, and encryption before data is transferred to AI systems.
• Contract Updates: Revise Data Processing Agreements to include updated SCCs with supplementary measures specific to AI processing.
• EU-Hosted Alternatives: Consider switching to AI solutions built and hosted entirely within the EU for high-risk processing.
• Risk Assessment Documentation: Maintain comprehensive records of your compliance measures and risk assessments for potential audits.

Practical Implementation Timeline

For European SMEs with limited resources, we recommend a phased approach:

1. Month 1: Complete data flow mapping and vendor assessment for all AI implementations
2. Month 2: Implement technical safeguards and initiate contract updates
3. Month 3: Finalize documentation framework and establish ongoing compliance monitoring
4. Quarterly: Review and update compliance measures as regulatory guidance evolves

When to Consider EU-Only AI Solutions

While supplementary measures can help mitigate Schrems II concerns with non-EU AI providers, certain scenarios warrant considering EU-hosted alternatives:

• Processing particularly sensitive personal data
• Operating in highly regulated sectors (financial services, healthcare)
• Processing data from vulnerable individuals
• Implementing AI as part of core business operations
• Operating in jurisdictions with strict data localization requirements

Conclusion

Schrems II compliance for AI implementations requires thoughtful planning but is achievable for SMEs with the right approach. By prioritizing data protection by design and carefully selecting EU-compliant vendors, businesses can harness the benefits of AI while maintaining regulatory compliance.