Cross-Border Data Transfers After Schrems II: Practical Strategies

The State of EU-US Data Transfers

The EU-US Data Privacy Framework (DPF), adopted in July 2023, restored a legal basis for transfers of personal data from the EU to the US for certified organisations. However, the DPF's legal stability remains uncertain: it faces legal challenges in the Court of Justice of the EU from privacy advocates who successfully invalidated its predecessors (Safe Harbor and Privacy Shield).

Smart compliance strategies do not bet on the continued validity of any single transfer mechanism. They maintain Standard Contractual Clauses (SCCs) as a fallback, conduct Transfer Impact Assessments (TIAs) for high-risk destinations, and implement supplementary technical measures — encryption, pseudonymisation — that reduce the impact of potential surveillance access to transferred data.

Mapping Your Cross-Border Data Flows

Effective transfer compliance begins with visibility. You cannot apply appropriate safeguards to transfers you do not know are occurring. The most common gap is transfers to SaaS vendors and cloud service providers whose infrastructure is physically located outside the EEA, even when the vendor's commercial entity is European.

A systematic cross-border transfer mapping exercise should identify: every jurisdiction where data leaves the EEA; the legal mechanism supporting each transfer; and the nature of the data transferred. This map should be a living document, updated whenever new vendors are onboarded or existing vendor infrastructure changes.

Standard Contractual Clauses: The Updated Landscape

The 2021 European Commission SCCs are now the mandatory standard for GDPR Article 46 transfers. They replace the old SCCs from 2001 and 2010, which were formally invalidated. Unlike the old SCCs, the 2021 SCCs cover a wider range of transfer scenarios through a modular structure: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers each have specific modules.

Organisations that were using the old SCCs should have migrated to the 2021 SCCs — the transition period ended in December 2022. Any organisation that has not completed this migration is now relying on invalid transfer mechanisms and should treat this as an urgent compliance gap.

Transfer Impact Assessments: The Schrems II Requirement

The Schrems II judgment established that SCCs alone are not sufficient to legitimise a transfer where the laws of the destination country allow government access to transferred data in ways that do not meet GDPR's equivalence standard. For transfers to such countries, a Transfer Impact Assessment (TIA) is required to evaluate whether the SCC mechanism provides sufficient protection in practice.

A TIA should assess: the legal framework in the destination country (surveillance laws, national security law exceptions, data subject remedies); whether the destination country has been found equivalent to the EU; the nature of the data transferred; and any supplementary technical, contractual, or organisational measures that reduce transfer risk.

Supplementary Technical Measures

Where a TIA concludes that the destination country's legal framework does not provide equivalent protection, supplementary measures can close the gap. The EDPB's Recommendations 01/2020 describe several such measures: end-to-end encryption where the importer cannot access the data in the clear; pseudonymisation before transfer, with the key retained in the EEA; and zero-knowledge architecture where the service provider genuinely cannot access plaintext data.

The key test for each supplementary measure is whether it makes government access technically impossible or meaningless. An encryption solution where the importer holds the decryption key does not meet this test. Genuine end-to-end encryption where only the EEA controller or individual data subject holds the key provides meaningful protection.

Managing Transfers Under Emerging Frameworks

Cross-border transfer obligations are not limited to GDPR. India's DPDP Act restricts the transfer of personal data to countries and territories to which the Central Government has not issued a notification permitting transfers. The list of approved destinations has not yet been published, creating uncertainty for organisations transferring data out of India.

Organisations operating in India should plan for a restricted transfer regime and build a data architecture that can segment Indian personal data for localised processing if required. Contractual safeguards — transfer clauses in vendor agreements — should be implemented now, even where not yet legally mandated.

Ongoing Transfer Compliance Management

Cross-border transfer compliance is not a project with a completion date — it is an ongoing operational requirement. The transfer landscape changes continuously: new adequacy decisions are adopted, existing ones are challenged, SCC counterparties change their infrastructure, and new vendors are onboarded.

A transfer compliance management programme must include regular transfer map updates, periodic TIA reviews, SCC counterparty monitoring, and regulatory change monitoring. For organisations with significant international data flows, automation — workflow tools for TIA processes, contract management systems for SCC tracking — can significantly reduce the manual burden while improving accuracy.