International data transfers under the GDPR have operated in the shadow of two landmark rulings from the Court of Justice of the European Union: Schrems I (2015), which invalidated the Safe Harbor framework, and Schrems II (2020), which invalidated the EU-US Privacy Shield and imposed stringent conditions on the use of Standard Contractual Clauses for transfers to countries with surveillance laws that conflict with EU fundamental rights standards. Five years after Schrems II, the structure of international transfers remains more complex and more legally demanding than it was under the old framework.
The fundamental issue that Schrems II identified has not gone away: transfers of personal data to countries whose public authorities have broad surveillance powers, without effective judicial redress for EU data subjects, are presumptively incompatible with the GDPR's requirements for transfers. The mechanisms available to validate such transfers (adequacy decisions, Standard Contractual Clauses with supplementary measures, Binding Corporate Rules) must each be assessed in light of the legal reality of the destination country, not merely the contractual commitments of the data importer.
The most significant development in international transfers since Schrems II was the adoption of the EU-US Data Privacy Framework (DPF) adequacy decision by the European Commission in July 2023. The DPF replaced the invalidated Privacy Shield and provides an adequacy basis for transfers to US organisations that self-certify under the DPF framework, administered by the US Department of Commerce. US organisations certified under the DPF can receive personal data from the EU without Standard Contractual Clauses or other transfer mechanisms.
The DPF addresses the fundamental rights deficit identified in Schrems II through Executive Order 14086, which establishes new safeguards on US intelligence community access to EU data and creates a Data Protection Review Court as a redress mechanism for EU data subjects. Whether these measures adequately address the CJEU's concerns, and whether the DPF will survive a legal challenge from privacy advocates (as both Safe Harbor and Privacy Shield did not) remains an open question. Controllers relying on the DPF should monitor its legal status and maintain contingency transfer mechanisms.
For transfers to countries without an adequacy decision, and as a contingency mechanism for DPF-covered transfers, Standard Contractual Clauses (SCCs) remain the primary transfer mechanism. The European Commission published updated SCCs in June 2021 that replaced the old sets and added new clauses covering processor-to-processor and processor-to-controller transfers alongside the traditional controller-to-controller and controller-to-processor sets.
Critically, SCCs are not a standalone compliance solution post-Schrems II. Controllers must conduct a Transfer Impact Assessment (TIA) before relying on SCCs for transfers to third countries. The TIA assesses whether the laws and practices of the destination country permit the data importer to comply with the SCCs' obligations, including the obligation to notify the data exporter and resist public authority requests for access that are not proportionate and lawful under EU standards. Where the TIA identifies a gap (that the destination country's surveillance laws prevent the importer from meeting its SCC obligations) the controller must implement supplementary technical, contractual, or organisational measures to close the gap, or must suspend the transfer.
Binding Corporate Rules (BCRs) are approved codes of conduct for intra-group international transfers, approved by a lead data protection authority in the EU. They provide a robust but administratively demanding transfer mechanism for multinational groups. The GDPR also provides for derogations for specific situations (explicit consent, contract performance, legal claims, vital interests, public interest) but these are intended as exceptions for specific transfers rather than as a structural basis for regular international data flows.
For US vendors that have self-certified under the DPF, an adequacy decision now exists and SCCs are not required for the transfer itself. However, the DPF only covers data transfers to certified US organisations: transfers to US entities that have not self-certified still require SCCs or another transfer mechanism. Controllers should verify DPF certification status for each US vendor before relying on adequacy, and should consider whether SCCs provide a useful backup mechanism given the DPF's uncertain long-term legal stability.
A TIA is a documented analysis of whether the laws and practices of the third country to which data is being transferred allow the recipient to meet its obligations under the transfer mechanism being used. It is required whenever SCCs are used as the transfer mechanism for a transfer to a third country without adequacy status. The TIA must be country-specific and importer-specific: it cannot be a generic country analysis. Supervisory authorities have published guidance and tools to support TIA preparation, but the ultimate responsibility for the assessment lies with the data exporter.
Yes, the same mechanisms (adequacy decisions, SCCs with TIA, BCRs) apply to special category data. However, the GDPR's requirements for processing special category data apply regardless of whether the data is transferred internationally: a lawful basis under Article 9 is required both for the original processing and for the transfer. The combination of special category data requirements and international transfer requirements creates a compounding compliance obligation that requires careful management. For transfers of health data, biometric data, or other sensitive categories to non-adequate countries, the combination of a TIA and supplementary technical measures (such as encryption where the transfer importer cannot access the decryption key) is the typical compliance approach.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
