Formward
← Back to blog

Schrems II, in plain terms, for your contact form

The Formward TeamFormward AB, Stockholm

In July 2020 the Court of Justice of the European Union invalidated the EU–US Privacy Shield in a case known as Schrems II. The short version: transferring personal data from the EU to the United States can no longer be justified by Privacy Shield alone, because US surveillance law does not offer EU citizens equivalent protection.

For most engineers this sounds like a problem for legal teams, not for the person wiring up a contact form. But a contact form collects personal data, and if it posts to a US-based service, you are the data exporter. The obligation lands on you.

The cleanest answer is not to make the transfer at all. If the form backend stores data in the EU, sends mail through EU providers, and never routes submissions across the Atlantic, the Schrems II question simply does not arise. That is the design Formward committed to from its first release.

You can spend a lot of effort papering over a US data flow with Standard Contractual Clauses and transfer impact assessments, or you can pick infrastructure that keeps the data in Europe in the first place. We think the second option is less work and easier to defend.

About the author

The Formward Team builds privacy-first form infrastructure in Stockholm. Read about our security and privacy practices. Our approach follows the principles set out by the European Data Protection Board at edpb.europa.eu.

Schrems II, in plain terms, for your contact form | Formward