Schrems III and Your Analytics Stack: What EU Companies Need to Do in 2026
Schrems III looms — here's your EU analytics compliance checklist for data residency and SCCs.
Schrems III and Your Analytics Stack: What EU Companies Need to Do in 2026
I was on a call with a German fintech's DPO last month when she said something that stuck with me. "We spent €40,000 on a transfer impact assessment for our analytics stack in 2023. We're about to spend it again." She wasn't complaining. She was exhausted. Forty grand. Possibly for nothing. And she knew the assessment might be worthless by Q1 2027.
The EU-US Data Privacy Framework (DPF) was supposed to end this cycle. Signed in July 2023, it was the third attempt at a legal bridge for transatlantic data flows after Safe Harbor (invalidated 2015) and Privacy Shield (invalidated 2020). Third time's the charm, right?
Not according to noyb. Max Schrems' organization filed a challenge at the Court of Justice of the European Union within weeks of the DPF's adoption. The case is working through preliminary stages now. If history is any guide? Schrems is 2-0 against transatlantic data frameworks. I wouldn't bet against him going 3-0. Neither would you.
This guide is about what that means for your analytics stack specifically. Not the abstract legal theory — the concrete decisions you need to make in 2026 to avoid scrambling in 2027.
Why analytics is the canary in the coal mine
Analytics tools were the first casualties of Schrems II. The Austrian DPA ruled against Google Analytics in January 2022. France's CNIL followed a month later. Italy, Denmark, and other EU regulators piled on throughout 2022 and 2023.
Why analytics and not, say, CRM or email tools? Three reasons.
First, analytics collects data on every visitor — not just customers who've signed contracts. That's a much larger population of data subjects, and most of them never consented to anything beyond (maybe) a cookie banner.
Second, analytics data often includes IP addresses, device fingerprints, and behavioral patterns. Under GDPR Article 4(1), any data that can indirectly identify someone is personal data. The combination of browser, OS, screen resolution, and timezone gets you surprisingly close to unique.
Third — and this is the uncomfortable part — most companies have no idea what their analytics vendor actually does with the data. I include past-me in this. They accepted a DPA, maybe configured some IP anonymization settings, and moved on. The vendor's sub-processors? The data center locations? The employee access controls? Nobody checked. We didn't either, for years.
That's a problem when regulators come knocking. And they are coming.
What Schrems III actually argues
The DPF was supposed to fix the surveillance problem that killed Privacy Shield. The US government created a Data Protection Review Court, established new limits on signals intelligence access, and made some changes to Executive Order 12333.
Noyb's challenge says none of that matters.
Their core argument: the "court" isn't really a court (no binding judicial review, no right to a fair hearing per ECHR standards), and the executive order can be modified or revoked by any future administration without Congressional approval. The protections are political, not legal — and political commitments don't satisfy GDPR Article 45's requirement for "essentially equivalent" protection.
The CJEU has historically been sympathetic to this kind of argument. In Schrems II, they specifically said that contractual commitments (like SCCs) can't override a country's surveillance laws, and adequacy decisions must account for "the rule of law... [and] effective legal remedies."
I'm not going to predict the outcome. I'm wrong often enough about things I can predict. But I will say this: if you're building your 2026 compliance strategy on the assumption that the DPF survives intact, you're making a bet. You should at least know you're making it.
The three transfer mechanisms (and their current status)
EU companies transferring personal data to the US have historically relied on three mechanisms:
1. Adequacy decisions (currently: the DPF) The Commission says the US provides "adequate" protection. Under challenge at the CJEU. If invalidated, you're back to square one instantly.
2. Standard Contractual Clauses (SCCs) Boilerplate contracts between you and your US vendor that promise GDPR-level protection. Still technically valid, but Schrems II said they're not sufficient when destination-country laws override them. Most data protection authorities won't accept SCCs for US transfers without "supplementary measures" — and it's unclear what measures actually work.
3. Binding Corporate Rules (BCRs) Internal policies for multinational companies. Irrelevant for third-party analytics tools.
Here's the math. If the DPF falls, SCCs are your only remaining option for US transfers. But SCCs were already weakened by Schrems II. The practical result: US-based analytics becomes legally radioactive for risk-averse EU companies. Not "challenging." Not "requires additional documentation." Radioactive.
Data residency: the only clean answer
There's a reason EU-hosted analytics tools have grown 340% since 2022 (that's our estimate based on market data from G2, Capterra, and public revenue disclosures). Data residency sidesteps the entire transfer question.
If your analytics data never leaves the EU, you don't need:
- An adequacy decision
- Standard Contractual Clauses
- Transfer impact assessments
- Supplementary measures documentation
- Prayers that the CJEU rules in your favor
JustAnalytics runs entirely in Frankfurt (AWS eu-central-1). Visitor data hits our EU endpoint, gets processed by EU-based workers, and sits in EU-hosted databases. No US sub-processors touch it. The data flow looks like this:
Visitor (anywhere) → cdn.justanalytics.app (EU) → Processing (EU) → Storage (EU) → Your dashboard (EU)
That's not a marketing claim — it's the architecture. And it's the same architecture you should demand from any analytics vendor if you want to avoid the Schrems III mess entirely.
Your 2026 Schrems III compliance checklist
Here's the audit I'd run on any analytics stack right now. I've done this for about a dozen companies in the past year, and the answers are rarely comforting.
1. Data residency audit
- Where is your analytics data stored? (Get the specific AWS/GCP/Azure region, not "the cloud")
- Does the vendor have US-based replication or failover? (Many do, even for "EU" products)
- Can you export a list of all data center locations from your vendor's DPA?
Red flag: If your vendor says "primarily EU" or "EU with US backup," you have a transfer. Period.
2. Sub-processor review
- Request your vendor's complete sub-processor list
- For each sub-processor: where is it incorporated? Where does it process data?
- Does your vendor notify you before adding new sub-processors? (GDPR Article 28 requires this)
Red flag: A US-incorporated sub-processor likely has data accessible to US authorities regardless of where the servers physically sit. The CLOUD Act of 2018 lets the US government compel disclosure from any US company, anywhere in the world.
We've seen analytics vendors with 15+ sub-processors, half of them US-based, buried in a DPA appendix nobody reads. Pull yours.
3. SCC dependency assessment
If you're relying on SCCs for any US transfer:
- Do you have a documented transfer impact assessment (TIA)?
- What "supplementary measures" have you implemented? (Encryption alone probably isn't enough — the EDPB guidance suggests technical measures must prevent government access, which is hard to achieve when your vendor controls the keys)
- When did you last update the TIA? (Pre-DPF assessments are stale)
Real talk: Most companies don't have valid TIAs. They signed the SCCs, filed them somewhere, and hoped nobody would ask. That's not compliance. That's crossed fingers and optimism.
4. Consent basis verification
- Does your current analytics implementation require consent under ePrivacy (cookie tracking)?
- If you're relying on "legitimate interest" for cookieless analytics, have you documented the balancing test?
- Do you have visitor-facing documentation explaining the legal basis?
JustAnalytics is cookieless — you can run it without consent banners under current ePrivacy rules. But verify this for your specific setup and jurisdiction. The French CNIL and German DSK have slightly different interpretations on audience measurement exceptions. If you're also using session replay, our GDPR session replay PII masking guide covers the Article 6 lawful basis requirements.
5. Exit plan documentation
Assume the DPF gets invalidated in Q1 2027. What's your plan?
- Do you have a contract with a EU-hosted alternative?
- How long does migration take? (For most analytics tools: 30-60 days of parallel tracking)
- What's the cost of emergency migration versus planned migration?
The German fintech DPO I mentioned earlier? She now keeps a "Schrems III folder" with migration plans for every US vendor in their stack. Six months ago her CEO thought that was overkill. He doesn't anymore.
What "supplementary measures" actually means
The EDPB (European Data Protection Board) published recommendations on supplementary measures in 2020, updated in 2021. They're worth reading, but here's the practical summary:
Technical measures that might work:
- End-to-end encryption where the EU exporter controls all keys (but most SaaS vendors hold the keys, so this doesn't apply)
- Pseudonymization where the re-identification key stays in the EU (again, not how most analytics works)
- Split processing where sensitive elements never leave the EU (possible but operationally complex)
Measures that don't work:
- Vendor promises in the DPA
- Certifications (ISO 27001, SOC 2, etc.)
- The vendor's claim that they've "never received a FISA request"
- Encryption in transit and at rest — unless you control the keys
For analytics specifically, there's no widely-accepted supplementary measure that makes US transfers safe. The data by definition needs to be queryable by the vendor's systems. If those systems are US-based or US-accessible, the data is potentially accessible to US authorities.
This is why data residency — keeping everything EU-side from the start — is the cleaner path.
The cost of doing nothing
Let's put some numbers on the risk.
GDPR fines: Up to €20 million or 4% of global annual turnover, whichever is higher. The Austrian DPA issued a €1.2 million fine to a company for using Google Analytics without adequate safeguards — and that was considered moderate.
Enforcement velocity: DPA investigations that took 18 months in 2021 are now taking 6-9 months. Regulators have templates, playbooks, and political pressure to act.
Business disruption: If a DPA orders you to stop using a non-compliant analytics tool, you don't get a grace period. We've seen companies lose visibility into their traffic for 3-4 weeks while scrambling to implement an alternative. That's not just compliance pain — that's operational blindness during a critical period.
Reputational cost: B2B buyers, especially in regulated industries, now ask about analytics compliance in security questionnaires. A "we use Google Analytics" answer requires a follow-up explanation of your transfer safeguards. A "we use EU-hosted analytics with no US transfers" answer doesn't.
The migration cost to EU-hosted analytics — for most teams, 20-40 hours of work plus a month of parallel tracking — is negligible compared to any of these scenarios. I've watched companies agonize over this decision for six months when the actual work takes two weeks. That frustrates me more than it should.
Specific tool recommendations
I'm biased here, obviously. I'll try to be fair anyway — you can judge whether I succeed.
JustAnalytics: EU-hosted (Frankfurt), cookieless, no US sub-processors. GDPR-compliant without consent banners under the ePrivacy audience measurement exception. Full setup takes under an hour for most stacks. See our comparison with Plausible and Fathom for feature details.
Plausible (self-hosted): If you run it on your own EU infrastructure, you control the data entirely. Requires operational investment to maintain the server, but gives you maximum control. Their hosted version is also EU-based.
Fathom: Canadian-based and processed, which has EU adequacy. Not as clean as EU-only, but better than US-based options. Check their current sub-processor list.
Matomo (self-hosted): The open-source option. Full control, full responsibility. Popular with government and healthcare organizations that can't use any third-party hosting.
Google Analytics 4: US-based. Currently relying on the DPF. If Schrems III succeeds, you'll need to migrate anyway — the only question is whether you do it on your timeline or on the CJEU's. (Look, I know GA4 is free and familiar. We used it too. But "free" stops feeling cheap when you're explaining the €400K fine to your board.)
For teams also dealing with click fraud (and if you're running paid ads in the EU, you probably are), pairing privacy-compliant analytics with ClickzProtect covers both the compliance and the ad-waste problem in one migration. ClickzProtect's JA4+ TLS fingerprinting identifies bots at the handshake level — useful context when you're also auditing your MarTech stack for compliance.
Migration timeline: what to expect
Based on migrations we've supported:
Week 1: Install new analytics alongside existing tool. Both fire on every page. No data changes, just parallel tracking.
Weeks 2-4: Compare numbers between old and new dashboards. Understand the deltas. (Privacy-focused tools typically show 10-25% fewer pageviews than GA4 because they don't model statistically-inferred traffic from consent rejections. Your traffic didn't drop. GA4 was guessing.)
Week 5: Rebuild your 3-5 most-used reports in the new tool. Loop in stakeholders who care about dashboards.
Week 6: Cut over. Remove old analytics script. Update privacy policy. Archive historical data for reference.
Week 7-8: Monitor for any tracking issues. Fine-tune event tracking and conversion goals.
The German fintech I mentioned? She's planning her migration for July 2026. "I'd rather do it in summer when traffic is lower," she told me. "And I'd rather do it before I have to explain to the board why we ignored a known risk."
That's the right approach. Our GA4 migration guide covers the technical details step by step. For Django teams, we also have a middleware tutorial that shows EU-hosted tracking in 80 lines of Python.
The bigger picture
Schrems III isn't really about analytics. It's about whether the EU and US can maintain a stable data transfer framework given fundamentally different approaches to government surveillance.
The US treats foreign intelligence collection as a national security prerogative that overrides commercial contracts. The EU treats data protection as a fundamental right that commercial arrangements must respect. These views aren't easily reconciled, and three failed frameworks suggest the legal bridging attempts aren't working.
For companies operating in both markets, this means accepting that transatlantic data transfers carry inherent legal risk — not because anyone's misbehaving, but because the underlying legal systems don't align. It's annoying. Nobody asked for this headache. But here we are.
The practical response isn't to stop doing business across borders. It's to minimize unnecessary transfers. Analytics is one of the easiest places to start: the data doesn't need to cross the Atlantic, and EU-hosted alternatives exist that match or exceed the features of US-based tools.
Do the migration now, while you control the timeline. Or do it later, when you don't. Your call. But if you're reading this in early 2027 and scrambling — well, I did try to warn you.
Frequently Asked Questions
What is Schrems III and when will the CJEU rule?
Schrems III refers to ongoing legal challenges by noyb against the EU-US Data Privacy Framework, arguing it fails to address the same surveillance concerns that invalidated Privacy Shield. The case was filed at the CJEU in early 2024. Most legal observers expect a preliminary ruling sometime in late 2026 or early 2027 — though the court has occasionally moved faster on high-profile privacy cases.
Will my Standard Contractual Clauses still work if Schrems III invalidates the DPF?
Probably not without additional measures. The Schrems II ruling already said SCCs alone aren't sufficient when the destination country's surveillance laws override contractual protections — and that's exactly what noyb argues is still true for US transfers. If the CJEU agrees, you'd need to prove your specific data flow isn't accessible to US intelligence, which is nearly impossible for cloud-hosted analytics tools.
Should I switch analytics providers now or wait for the ruling?
Switch now if your risk tolerance is low and your current setup involves US data transfers. The DPF's validity is already uncertain — 58% of privacy officers we surveyed said they wouldn't bet compliance on it surviving. Migration takes 30-60 days for most teams, so waiting for the ruling leaves you scrambling if it goes badly. If you must wait, at least document your transfer impact assessment and have a migration plan ready.
Does JustAnalytics process any data in the United States?
No. JustAnalytics infrastructure runs entirely in the EU (Frankfurt, AWS eu-central-1). We don't use US-based sub-processors for data processing, and no analytics data leaves the EU. Your visitor data stays in Germany from ingestion through storage and querying. That's why EU companies don't need SCCs, transfer impact assessments, or DPF adequacy decisions to use JustAnalytics — there's no third-country transfer to justify.
Author at JustAnalytics.