EU data-transfer scrutiny: the collapse of Privacy Shield and Dropbox's exposure
2020 onward
When the EU's top court struck down the EU–US Privacy Shield in 2020, Dropbox — which had self-certified under the framework — was among the US cloud services left exposed to European data-protection regulators questioning whether personal data could lawfully be transferred to the United States.
What happened
On 16 July 2020 the Court of Justice of the European Union, in the 'Schrems II' judgment, invalidated the EU–US Privacy Shield framework, the mechanism many American companies used to legitimize transfers of Europeans' personal data to the United States. The court held that US surveillance law did not provide European data subjects with protection essentially equivalent to that guaranteed under EU law.
Dropbox had self-certified under the EU–US and Swiss–US Privacy Shield frameworks to cover its transfers of certain personal data from the European Economic Area and Switzerland to the United States. With Privacy Shield gone, that basis evaporated, and the CJEU's ruling imposed heightened obligations on companies relying on the alternative mechanism of Standard Contractual Clauses — requiring case-by-case assessments and supplementary safeguards. In its own SEC filings, Dropbox acknowledged that European regulators could apply differing standards and require additional measures, and that the uncertainty around transatlantic data transfers created compliance risk.
This is regulatory and legal exposure rather than a single named lawsuit against Dropbox: the judgment applied broadly to US cloud providers, and critics and some European authorities argued that storing EU residents' personal data on US-based services such as Dropbox had become legally fraught. The risk has been partly addressed by the later EU–US Data Privacy Framework (adopted in 2023), but the area remains contested.
Impact
Schrems II turned Dropbox's cross-border data flows into an ongoing legal and compliance liability, requiring it to re-paper its transfer mechanisms and absorb the risk that EU regulators or courts could restrict its handling of European personal data. It strengthened the case for EU-based and sovereignty-focused competitors and made data residency a recurring concern for European business customers evaluating Dropbox. Dropbox itself flagged the regulatory uncertainty as a material risk in its public filings.