When the EU Court of Justice invalidated Privacy Shield in July 2020, it put pressure on every personal-data transfer to the US. Since then we’ve had the Data Privacy Framework, new standard contractual clauses and a wave of transfer impact assessments. But the core of Schrems II hasn’t gone away.
What the ruling actually said
Schrems II was not about servers. It was about US surveillance law giving agencies access to data in a way incompatible with European fundamental rights — and that contracts cannot protect against a law. As long as a provider is subject to that legislation, the risk remains, no matter how well the clauses are worded.
Did the Data Privacy Framework solve it?
The DPF of 2023 made transfers legally smoother on paper. But it rests on the same tension that collapsed twice before, and it is already being challenged in court. Relying on a framework that may fall a third time is a planning risk, not a solution. Many companies have shifted from “are we formally compliant?” to “how much transatlantic exposure do we even have?”.
The safest way to pass a transfer assessment is to not need the transfer.
— from Kepler’s trust model
Designing the risk away instead of monitoring it
If data never leaves EU jurisdiction, and the provider has no parent outside the EU, there is no transfer to assess. That’s the structural route: choose a stack where jurisdiction, ownership, control plane and keys all sit in the EU. Then Schrems II becomes a non-issue rather than an annual documentation project.
That’s exactly what Kepler is built for. Swedish-owned, EU-incorporated, our own hardware, and keys in EU-resident OpenBao — with everything exportable as code if you ever want to move.