Most Nordic comms managers couldn’t tell you, off the top of their head, where the recording of their last all-hands is physically stored.
That’s not a criticism — it isn’t their job to track every server. But in 2026, the answer to that question is becoming uncomfortably central to whether their next live event is legal.
Six years ago, in July 2020, the European Court of Justice handed down a ruling that quietly reshaped the legal foundation under most cloud and SaaS tools in Europe. The ruling is called Schrems II. If you work in corporate communications at a European enterprise, your legal team has thought about it considerably more than you have. They probably haven’t told you the details — the details are technical and the implications are uncomfortable. But the broad shape of it is this: most of the major video/meeting platforms your company is paying for — Zoom, Webex, ON24, Vimeo, Brightcove — process your data in ways that, depending on how strictly you read the law, are either fully compliant, technically compliant under fragile new frameworks, or quietly in the gray zone.
Most of the comms managers I’ve spoken to assume the question has been handled by someone, somewhere in the building. That assumption is usually right and occasionally catastrophically wrong, and the trend over the past three years has been for the second category to slowly grow.
Here’s what Schrems II actually ruled, why live video platforms are unusually exposed to it, what your current vendor has probably done about it, and the three questions you should be asking before the next renewal lands on your desk.
What Schrems II actually ruled
The ruling has a person behind it. Max Schrems is an Austrian lawyer who has spent more than a decade challenging US tech companies on European data protection — starting as a law student in 2011 with complaints against Facebook’s handling of European user data, and now twice running cases that reached the European Court of Justice.
The first ruling, Schrems I in 2015, struck down a framework called Safe Harbor that had been how most companies justified moving European data to the US. Schrems II in 2020 struck down its successor, Privacy Shield.
Privacy Shield was by far the most common legal basis for transferring personal data from the EU to the US — a framework where US companies could self-certify they handled European data to EU-equivalent standards. The court ruled it invalid.
The reasoning came down to two US surveillance laws. FISA Section 702 and Executive Order 12333 together allow US intelligence agencies to access data held by US companies — including data on non-US persons — for foreign intelligence purposes. The European court’s view was that this leaves a European individual whose data ends up on US servers without meaningful judicial recourse: they can’t find out if they’re being surveilled, they can’t challenge it, they can’t sue. That fails the EU’s own standard for protecting personal data, which meant Privacy Shield — built on the assumption that the US provided equivalent protection — couldn’t stand.
The court did preserve one alternative: Standard Contractual Clauses (SCCs), pre-approved contract terms between an EU data exporter and a non-EU importer. But it attached a condition that has quietly become the central operational challenge of the post-Schrems-II era. Any company using SCCs to send data outside the EU must now perform a Transfer Impact Assessment — an honest analysis of whether the destination country, in practice, provides adequate protection. If it doesn’t, the company has to add supplementary safeguards or, in the court’s blunter phrasing, suspend the transfer.
As of July 2020, corporate Europe woke up to this: Privacy Shield was gone, SCCs were still valid but heavier to use, and every major US-based SaaS vendor had to renegotiate the legal foundation of their European customer relationships.
Why live video platforms are particularly exposed
Most corporate software handles personal data. Your CRM has names and emails, your HR system has employment details, your email platform has years of communications. Live video tools belong on that list — but they’re an outlier on it in three ways that matter for Schrems II.
First, the data type is unusually sensitive. A single live event captures the video and audio of identifiable people — their faces, their voices, their names, their company affiliations — which is unambiguously personal data under GDPR. Add the chat log, the questions submitted in Q&A, the registration form data, and the viewer analytics that track when each attendee joined, left, raised their hand, or asked a question, and you’ve assembled a profile that goes well beyond a name and an email address. Some of it touches on special-category data when a session reveals political views, health information, or other sensitive characteristics about an identifiable individual.
Second, the volume per event is large. A 5,000-viewer all-hands produces personal data on 5,000 individuals. Run that quarterly across an enterprise, plus the regular cadence of live events, training broadcasts, and investor calls, and you’re aggregating tens of thousands of identifiable Europeans into one platform’s logs over the course of a year. Each of those individuals has rights under GDPR — to know what’s processed, to request deletion, to object — and your vendor has to be able to honor those rights on infrastructure that meets European standards.
Third, the use cases concentrate in the sectors where data residency is most carefully regulated. Earnings calls happen at publicly listed companies. All-hands happen at banks, insurers, and government bodies. Internal training happens at hospitals and pharma firms. These are precisely the sectors where compliance teams are most alert to where data physically sits, and where the consequences of a data-transfer problem are the most expensive.
Live video platforms don’t get less regulatory scrutiny than your CRM. They tend to get more. The question is whether your current platform is built to withstand it.
What the major US platforms have done about it
The major US platforms didn’t sit still after Schrems II. Over the past six years, they’ve made substantial structural changes to address the ruling — and on a fair reading, many of those changes work for many corporate buyers, most of the time.
The most visible move has been infrastructure. Zoom opened EU data centers and added regional data residency options that let customers specify where their data is processed. Microsoft built out what it calls the EU Data Boundary across its enterprise services, including Teams. Cisco’s Webex offers European hosting. ON24 and the broader event-platform category have followed. The direction across the industry has been to make it possible, with the right contract and the right configuration, to keep European customer data inside Europe — at least at the data-at-rest level.
Layered on top of the infrastructure is the contractual mechanism. Every serious US platform now offers Standard Contractual Clauses as part of its data processing agreement, usually the updated 2021 SCCs that European authorities consider more robust than the previous version. Signing an SCC-backed DPA with a US vendor is now table stakes for procurement to approve a contract.
And then there’s the legal framework layer. In July 2023, the European Commission adopted the EU-US Data Privacy Framework, the successor to Privacy Shield. The new framework includes a US executive order limiting intelligence access to European data to what’s “necessary and proportionate”, and a redress mechanism — the Data Protection Review Court — where European individuals can complain about US surveillance practices. US platforms that self-certify under the framework can use it as a legal basis for EU-to-US data transfers, much as Privacy Shield used to function before it was struck down.
On paper, the stack looks complete: EU-hosted infrastructure where the vendor offers it, robust SCCs as the contractual fallback, a working transfer framework underneath. The compliance answer for most live video deals today is “yes, we can do this lawfully.”
The footnotes are where it gets interesting. The infrastructure works, the contracts are signed, the framework is in force — but the actual legal exposure of a European company using a US platform still depends on three things that don’t show up in the sales pitch: how data is processed in practice, what the customer’s own Transfer Impact Assessment concludes, and how long the EU-US Data Privacy Framework survives its next court test.
Three questions to ask your vendor before the next renewal
Before signing the next live video platform contract — or before signing off on the next renewal — three questions are worth putting to your vendor in writing:
Where, exactly, is our data processed end-to-end?
Not just where it’s stored at rest, but where it flows through during processing. Data residency in vendor marketing sometimes only means storage location, while in-transit processing still routes through US infrastructure for transcoding, transcription, analytics, or recording.
A strong answer names specific data center locations, lists the sub-processors involved, and gives an explicit “no US fallback for EU customer data” commitment. An evasive answer talks about GDPR compliance in general terms without ever naming where the data actually sits.
What's your position under the EU-US Data Privacy Framework, and what's your contingency if it gets struck down?
Can you share your most recent Transfer Impact Assessment template?
Most vendors with serious European customer bases have a TIA template ready to share, because every European procurement team is asking for it. Sophisticated vendors lead with it. A vendor that asks what a TIA is, or pushes the entire assessment back onto your legal team without a starting document, is making a statement about how much they’ve invested in their European go-to-market — which is a useful signal in itself.
Data residency as a design choice
None of this means European companies can’t use US video platforms. Many do, lawfully, with the right contracts and the right diligence — the framework supports it, the SCCs hold up, the Transfer Impact Assessments can be written. The point of Schrems II isn’t that it forces an EU-hosted choice. The point is that it makes the choice visible.
For organizations in the most regulated corners of European business — banks, insurers, listed companies, governments, healthcare — there’s a quieter argument worth considering: treat data residency as a design choice, not a compliance burden. An EU-hosted platform is one where the Schrems II question doesn’t apply at all. The Transfer Impact Assessment is a sentence, not a workstream. The framework in force today doesn’t need to survive its next court test for your operating posture to remain stable next year.
Most video platform buyers don’t need that level of insulation. The ones who do tend to know it.
Sources and further reading
— Court of Justice of the European Union, Case C-311/18 (Schrems II), 16 July 2020 — curia.europa.eu
— Commission Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework, 10 July 2023 — ec.europa.eu
— European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools — edpb.europa.eu
— European Commission, Standard Contractual Clauses (2021) — ec.europa.eu
— NOYB (None Of Your Business), analysis of the EU-US Data Privacy Framework — noyb.eu