Schrems II: why EU users' files on Dropbox sit under a legal cloud

In July 2020 the Court of Justice of the European Union, in the 'Schrems II' case, invalidated the EU–US Privacy Shield framework, finding that US surveillance laws (such as FISA Section 702 and Executive Order 12333) did not give EU citizens protection 'essentially equivalent' to the GDPR. The court left Standard Contractual Clauses (SCCs) valid but said data exporters must assess the destination country's protections and add 'supplementary measures' where they fall short.

For Dropbox — a US company subject to US legal process and the CLOUD Act — the ruling created a durable compliance problem for its EU customers. Dropbox says it is GDPR-compliant, adheres to the EU Cloud Code of Conduct, and offers EU-based data centers for some enterprise tiers, but it cannot guarantee EU-only hosting across all plans, and it cannot place EU customer data beyond the reach of US legal demands. EU organizations using Dropbox must therefore perform transfer-impact assessments and may need additional encryption or contractual measures to use it lawfully.

This is not a breach or a Dropbox-specific failing — it applies to all major US cloud providers — but it is a structural privacy and legal exposure that EU users of Dropbox carry, and it connects directly to the government-access concerns documented elsewhere in this archive.