Why It Matters
In a globalized economy, personal data constantly crosses borders — cloud services hosted in the US, customer support in India, analytics processed in multiple countries. GDPR restricts these transfers to ensure that European data protection standards follow the data wherever it goes. The landmark Schrems II ruling (2020) invalidated the EU-US Privacy Shield and forced thousands of organizations to reassess their data transfer practices.
When Does a Transfer Occur?
A cross-border data transfer happens when personal data moves from inside the EEA to a country outside it. This includes:
- Cloud hosting — using AWS, Azure, or Google Cloud with servers outside the EEA
- SaaS tools — Salesforce, HubSpot, Mailchimp, Slack (US-headquartered services)
- Group sharing — multinational companies sharing employee data between entities
- Outsourcing — customer support, development, or processing in non-EEA countries
- Remote access — employees outside the EEA accessing European databases
Transfer Mechanisms Under GDPR
1. Adequacy Decisions (Article 45)
The European Commission has determined that certain countries provide adequate data protection:
- Current adequacy countries include: Andorra, Argentina, Canada (PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, UK, Uruguay
- EU-US Data Privacy Framework (DPF) — adopted July 2023, replacing Privacy Shield
- If a country has adequacy, transfers are permitted without additional safeguards
2. Standard Contractual Clauses (SCCs) (Article 46)
- Pre-approved contract templates adopted by the European Commission
- Most commonly used transfer mechanism worldwide
- Must be accompanied by a Transfer Impact Assessment (TIA) — evaluate whether the destination country's laws undermine the protections
- Current SCCs adopted June 2021 (replaced older versions)
3. Binding Corporate Rules (BCRs) (Article 47)
- Internal rules adopted by multinational groups for intra-group transfers
- Must be approved by a lead supervisory authority
- Complex and time-consuming (12–18 months), but provide broad transfer coverage
4. Derogations (Article 49)
Limited exceptions for occasional transfers:
- Explicit consent (with full information about risks)
- Contract performance (transfer necessary to fulfill a contract with the data subject)
- Legal claims
- Vital interests
- Public interest
The Schrems II Impact
The CJEU's Schrems II ruling (July 2020) fundamentally changed cross-border transfers:
- Invalidated EU-US Privacy Shield — US surveillance laws were deemed incompatible with EU rights
- Required supplementary measures — SCCs alone may not be sufficient; organizations must assess the legal framework of the destination country
- Transfer Impact Assessments became mandatory — evaluate whether local laws allow government access that undermines GDPR protections
The EU-US Data Privacy Framework (DPF) was adopted in 2023 to address Schrems II concerns, but its long-term durability remains uncertain (a "Schrems III" challenge is expected).
Key Regulation
- GDPR Chapter V (Articles 44–50) — transfers to third countries
- CJEU Schrems II (C-311/18) — invalidated Privacy Shield, imposed supplementary measures
- Commission Implementing Decision 2021/914 — current SCCs
- EDPB Recommendations 01/2020 — supplementary measures guidance