In brief. In Schrems II (Case C-311/18, 16 July 2020) the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield and held that organizations relying on Standard Contractual Clauses must independently assess whether the destination country's law would stop the data importer from honoring its contractual promises. That single holding turned data-transfer compliance from a signing exercise into substantive legal analysis. This article explains the architecture that emerged: the EU-U.S. Data Privacy Framework (upheld at first instance in 2025 but now on appeal to the Court of Justice), the 2021 modular SCCs and the mandatory Transfer Impact Assessment, the three families of supplementary measures and where each one fails, Binding Corporate Rules, the narrow Article 49 derogations, and the parallel UK regime renewed through December 2031. Enforcement fines now reach into the hundreds of millions and the billions of euros, so the practical message is blunt: treat these requirements as real legal constraints, not paperwork, because some transfers cannot survive an honest assessment.
A SaaS company we will call Halcyon Cloud is headquartered in Dublin. Its product runs on a U.S. hyperscaler's infrastructure, its overnight support desk sits in Manila, and three analytics vendors scattered across as many continents help it understand how customers use the software. None of that is exotic. It is, more or less, how modern software gets built and sold. And yet every one of those relationships is, in the eyes of European data protection law, an international transfer of personal data — a regulated event that must be justified, documented, and, in many cases, defended against the surveillance laws of a country thousands of miles away. The customer-relationship database that syncs to overseas headquarters, the cloud bucket that happens to replicate to a foreign region, the payroll file that lands on a processor's server in another hemisphere: each is a transfer, and each now carries questions that did not used to have answers.
The questions got harder on 16 July 2020, when the Court of Justice of the European Union decided Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems, Case C-311/18 — universally known as Schrems II. The Court struck down the EU-U.S. Privacy Shield, the adequacy framework that had legitimized transatlantic data flows since 2016, and in the same breath cast a long shadow over Standard Contractual Clauses, the workhorse mechanism that nearly everyone else relied on. SCCs survived the ruling, but only after the Court bolted onto them a new and consequential duty: anyone using them must verify that the law of the destination country will not prevent the recipient from keeping the promises the clauses contain. Box-ticking was over. Substantive analysis had arrived.
The stakes are not theoretical. Cumulative GDPR fines now run well into the billions of euros, and several of the headline penalties turn specifically on cross-border transfers. Meta drew a €1.2 billion fine in May 2023 — the largest GDPR penalty ever imposed — for shipping EU user data to the United States without adequate safeguards. That is not a rounding error for even the largest enterprise, and it is a catastrophe for a Halcyon. This article maps the terrain a compliant program must cross: the Data Privacy Framework and the appeal now testing it, the 2021 SCCs and the Transfer Impact Assessment, supplementary measures and their hard limits, Binding Corporate Rules, the Article 49 derogations, the UK's parallel regime, and how to build a program that holds up when a regulator comes asking.
The Schrems Legacy: Why the Charter Won't Let Data Travel Naked
To understand why a contract is no longer enough, you have to understand what the Court of Justice has been doing for the better part of two decades. The Schrems line of cases did not invent new doctrine so much as insist, repeatedly, that the European Union's constitutional commitments mean what they say even when the data has left the building.
Those commitments live in the Charter of Fundamental Rights of the European Union. Article 7 guarantees respect for private and family life; Article 8 separately and explicitly protects personal data, requiring that it be processed fairly, for specified purposes, on a legitimate basis, and subject to independent oversight. These are not regulatory preferences to be traded away for commercial convenience. They are constitutional floors that bind what EU institutions and member states may authorize. Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679) is the mechanism that carries those protections across the border: Article 44 sets the general principle that personal data may leave the European Economic Area only if "the level of protection of natural persons guaranteed by this Regulation is not undermined." Everything downstream — adequacy decisions, SCCs, BCRs, derogations — is an answer to the question Article 44 poses.
The first Schrems decision (Maximillian Schrems v. Data Protection Commissioner, Case C-362/14, 6 October 2015) tore down Safe Harbor, the framework that had governed EU-U.S. transfers since 2000. The Court's logic was disarmingly simple: an adequacy decision — the Commission's formal determination that a third country provides sufficient protection — cannot survive if it ignores the reality of governmental surveillance in the destination. The Court found that U.S. national-security programs permitted access to transferred data on a generalized basis, incompatible with the essence of EU fundamental rights, and that EU data subjects had no effective judicial remedy. Safe Harbor fell.
Schrems II, five years later, did two things. First, it repeated the exercise on Safe Harbor's successor. Privacy Shield collapsed for essentially the same reasons: U.S. surveillance law — in particular Section 702 of the Foreign Intelligence Surveillance Act and the older Executive Order 12333 — allowed intelligence collection without the individualized judicial authorization and the genuine, enforceable redress that EU law demands. The Court was not persuaded that Privacy Shield's "Ombudsperson" mechanism cured the problem, because the Ombudsperson was neither independent of the executive nor empowered to bind the intelligence community.
Second — and this is the part that rewired everyone's compliance program — the Court turned its attention to Standard Contractual Clauses. It upheld them as a mechanism. But it held that a contract, by its nature, binds only the parties who sign it, and cannot bind a foreign government's surveillance apparatus. So the validity of SCCs in any given case depends on whether the importer can actually comply with them given the law it operates under. If local law would compel the importer to hand data to intelligence services in a way that defeats the clauses, then the clauses — however perfectly drafted — do not provide the "essentially equivalent" protection Chapter V requires. The exporter must assess this, and if SCCs alone fall short, must adopt supplementary measures or stop the transfer. The importer, for its part, must tell the exporter the moment it can no longer comply, at which point the exporter must suspend or terminate.
That obligation — operationalized today as the Transfer Impact Assessment — is the hinge of the entire post-2020 regime. It converted transfer compliance from a procurement task ("paper the deal with the standard clauses") into a research task ("read the surveillance law of every country your data touches and decide whether the clauses will actually work there"). For a company sending data to twelve jurisdictions, that is twelve legal analyses, each documented, each revisited when the law changes. The genius and the cruelty of Schrems II is the same fact: it made the obligation honest and made it heavy.
The EU-U.S. Data Privacy Framework: A Replacement Built to Survive Review
The single largest data corridor on earth runs across the North Atlantic, and Schrems II left it without a dedicated bridge. Negotiators on both sides went to work, and the result is the EU-U.S. Data Privacy Framework (DPF), agreed in principle in March 2022 and formalized when the Commission adopted its adequacy decision — Commission Implementing Decision (EU) 2023/1795 — on 10 July 2023. The DPF is best understood not as a new treaty but as a package of U.S. executive commitments engineered to answer, point by point, the specific deficiencies the Court identified in Privacy Shield.
The centerpiece is Executive Order 14086, signed on 7 October 2022, which directs the U.S. intelligence community to limit signals-intelligence collection of EU personal data to what is "necessary and proportionate" to validated national-security objectives — importing, deliberately, the EU's own vocabulary of proportionality. The order also built a two-tier redress mechanism: a first-stage review by the Civil Liberties Protection Officer within the Office of the Director of National Intelligence, and a second-stage appeal to a newly created Data Protection Review Court, an independent adjudicatory body established within the Department of Justice by Attorney General regulation (28 C.F.R. Part 201). The DPRC can investigate complaints from EU individuals, issue binding remediation orders, and — crucially for the "independence" critique that sank the Ombudsperson — its judges enjoy protection from removal for the duration of their service.
On the commercial side, the architecture will look familiar to anyone who remembers Privacy Shield. U.S. organizations self-certify to a set of DPF Principles through the Department of Commerce, recertify annually, and submit to enforcement by the Federal Trade Commission under Section 5 of the FTC Act (or the Department of Transportation, for carriers). The mechanics:
| Element | What it does | Legal basis |
|---|---|---|
| Necessity and proportionality | Limits U.S. intelligence collection of EU data to validated national-security objectives | Executive Order 14086 |
| Civil Liberties Protection Officer | First-tier review of complaints within ODNI | Executive Order 14086 |
| Data Protection Review Court | Independent tribunal that adjudicates EU complaints and orders remediation | 28 C.F.R. Part 201 (AG regulation) |
| Self-certification | U.S. organizations commit to the DPF Principles via Commerce Department registration | Adequacy Decision (EU) 2023/1795 |
| Annual recertification | Ongoing verification of compliance | DPF Principles |
| FTC enforcement | Federal authority to pursue violators | Section 5, FTC Act |
The payoff for business is real. Once a U.S. organization holds a current DPF certification, an EU exporter may send it personal data on the strength of the adequacy decision alone — no SCCs, no TIA, no supplementary measures. For Halcyon Cloud, confirming that its U.S. infrastructure vendor appears on the official Data Privacy Framework List (and that the certification covers the relevant data categories, including HR data, which require a separate election) can collapse an otherwise burdensome transatlantic compliance project into a status check. Thousands of organizations have certified.
The Latombe Challenge and the Limits of "Currently Valid"
Privacy Shield lasted four years before the Court killed it. Safe Harbor lasted fifteen. History suggested the DPF would be challenged the moment the ink dried, and it was.
French Member of the European Parliament Philippe Latombe filed an action for annulment within days of the adequacy decision, arguing two things: that the Data Protection Review Court lacks the independence Article 47 of the Charter requires of a "tribunal," because it sits inside the executive branch rather than the judiciary; and that U.S. bulk-collection practices remain incompatible with EU standards regardless of EO 14086's language. On 3 September 2025, the General Court of the European Union dismissed the challenge in Case T-553/23, holding that the DPF ensures an adequate level of protection.
The General Court's reasoning is worth dwelling on, because it tells you how the doctrine is likely to be applied going forward. The court emphasized that EU law does not demand that a third country replicate EU protections identically — only that it offer safeguards that are essentially equivalent, a standard that tolerates structural differences between legal systems. It held that Schrems II does not require prior judicial authorization of intelligence collection, provided there is adequate ex post judicial review — and it found that the DPRC supplies that review. And, tellingly, it confined its analysis to the facts as they stood on 10 July 2023, the date the Commission adopted the decision. The court stressed the Commission's continuing duty to monitor U.S. practice and to suspend, amend, or repeal the adequacy decision if circumstances deteriorate.
That last point is the whole game. A first-instance win is not a final word, and on 31 October 2025 Latombe appealed to the Court of Justice — putting the DPF's validity, once again, before the EU's highest court. A definitive ruling is years away. Meanwhile, Max Schrems' organization NOYB has signaled broader challenges aimed at post-2023 developments, including the reauthorization of FISA Section 702 and shifts in U.S. oversight that the General Court, by design, did not consider. There is also a structural fragility no court can fix: the DPF rests on an executive order, and executive orders can be amended or rescinded by the stroke of a pen in a way that a statute or treaty cannot.
The practical posture, then, is to treat the DPF as currently valid but not permanently settled. Rely on it where it helps, but build a program that does not collapse if it disappears. A prudent organization — Halcyon included — keeps an alternative transfer mechanism drafted and ready to activate, so that a future ruling does not freeze its operations the way the death of Privacy Shield froze so many in 2020. The lesson of this saga is that adequacy for the United States is a recurring negotiation, not a destination, and history's base rate for transatlantic frameworks is sobering.
Standard Contractual Clauses: The Workhorse and Its New Burden
The DPF handles a slice of the world — certified U.S. recipients — and a large slice at that. But it does nothing for transfers to India, to a non-certified U.S. vendor, to a sub-processor in Singapore, or to a parent company in Brazil. For all of that, the default tool is the Standard Contractual Clauses: model contract terms, pre-approved by the European Commission, that bind exporter and importer to GDPR-grade protections by private agreement under Article 46.
On 4 June 2021 the Commission adopted modernized SCCs in Commission Implementing Decision (EU) 2021/914, retiring the clause sets that had been in service since 2001 and 2010. The new SCCs are a genuine redesign, not a refresh. The most visible change is modularity. Rather than one rigid set of clauses for a single controller-to-processor relationship, the 2021 SCCs offer four interchangeable modules that an organization slots together to match the actual roles of the parties:
| Module | Transfer scenario | Typical use |
|---|---|---|
| Module 1 | Controller to controller (C2C) | Sharing customer data with an overseas business partner |
| Module 2 | Controller to processor (C2P) | Engaging a third-country cloud provider or payroll bureau |
| Module 3 | Processor to processor (P2P) | A processor passing data to an offshore sub-processor |
| Module 4 | Processor to controller (P2C) | Returning processed data to a foreign controller |
This is more than administrative tidiness. A processor like Halcyon, routing its EU customers' data to an offshore sub-processor, lives in Module 3; the same data, when Halcyon's customer shares it with an overseas affiliate, travels under Module 1. Getting the module wrong is not a cosmetic error — it misallocates the obligations and may leave a link in the chain unprotected. The 2021 SCCs also include a docking clause that lets additional parties join an existing agreement, which matters in long sub-processing chains, and they expressly accommodate the GDPR's Article 28 processor obligations, so a single instrument can do double duty.
The clause that carries Schrems II into the contract is Clause 14. Both parties must warrant that they have "no reason to believe" the laws and practices of the destination country, as applied to this transfer, prevent the importer from fulfilling its obligations under the clauses. That warranty is not a throwaway recital. The SCCs require it to rest on a documented assessment of the specific circumstances of the transfer, the relevant law and practice of the destination, and any supplementary measures adopted — and they oblige the parties to keep that assessment available for the supervisory authority. Clause 14, in other words, is the contractual mouth of the Transfer Impact Assessment. Clause 15 then operationalizes the importer's duties when a government comes knocking: notify the exporter of any access request (where legally permitted), challenge requests that appear unlawful or excessive, and provide the minimum permissible if a challenge fails.
One housekeeping deadline matters for diligence: the transition window for migrating from the legacy 2001/2010 SCCs to the 2021 set closed on 27 December 2022 for new contracts and, for pre-existing contracts, on 27 December 2022 as well for the moment of relying on them — with legacy clauses ceasing to provide a valid basis thereafter. Any organization still leaning on pre-2021 clauses is, on the face of it, out of compliance, and an SCC audit should hunt specifically for these fossils in inherited vendor agreements and dusty data processing addenda.
Maintaining a compliant SCC program is a real discipline. An organization must correctly identify its role in each flow, select the right module (and combine modules where a single relationship spans several), complete the detailed annexes describing the data categories, the processing, the technical and organizational security measures, and the competent supervisory authority, and run a TIA for each transfer or each genuinely homogeneous category of transfers. None of this is hard in the abstract; it is hard at scale, across hundreds of vendors, when half the underlying flows were never documented. Arrangements that move sensitive commercial information — source code, customer lists, deal data — deserve particular care, as our discussion of trade secrets in the age of remote work and cloud computing explains, because there the data-protection failure and the trade-secret failure can be the same failure wearing two hats. And when SCCs ride inside a broader software arrangement, the transfer terms have to be reconciled with the rest of the contract, a point we develop in drafting software license agreements: key terms and negotiation points.
Transfer Impact Assessments: The Methodology That Makes Schrems II Operational
The Transfer Impact Assessment (TIA) is where Schrems II's abstract holding becomes a worksheet. An organization may not lawfully transfer personal data on the strength of SCCs if it knows, or should know, that the importer will be unable to honor its commitments because of local law. The European Data Protection Board supplied the authoritative how-to in its Recommendations 01/2020 on measures that supplement transfer tools (adopted in final form on 18 June 2021). The 2021 SCCs incorporate that roadmap by reference, and supervisory authorities across the EEA treat the EDPB's six steps as the expected method.
The six steps proceed in order, and each one tends to surprise organizations in a different way.
Step 1 — Know your transfers. Map every international data flow: what categories of personal data go to which recipients in which countries, for what purposes, on what legal basis, and — easy to miss — including the onward transfers a processor makes to its own sub-processors. The recurring discovery here is that the map is bigger than anyone expected. A "U.S. vendor" turns out to replicate data to a support center in another country; a "European" SaaS tool routes telemetry to an American parent. You cannot assess what you have not found, and most programs find their hardest problems in this step.
Step 2 — Identify the transfer tool. For each flow, pin down the Article 45/46/49 mechanism: adequacy, SCCs, BCRs, or a derogation. Transfers to adequacy-covered destinations do not require a TIA at all — and that now includes DPF-certified U.S. recipients and the United Kingdom under the December 2025 renewal discussed below. Article 49 derogations, properly invoked, also fall outside the TIA process. Identifying which flows need a TIA narrows the work, sometimes dramatically.
Step 3 — Assess the destination's law and practice. This is the heart of the exercise, and the part Schrems II added. The question is whether anything in the destination's legal order — surveillance statutes, government-access powers, data-localization or disclosure mandates — would prevent the importer from complying with the SCCs. The EDPB frames the analysis around its European Essential Guarantees: whether processing for surveillance rests on clear, accessible legal rules; whether interference is genuinely necessary and proportionate; whether independent oversight exists; and whether effective remedies are available to data subjects. Critically, the assessment weighs both the law on the books and the law in practice: a statute may be narrower or broader in application than its text suggests. The importer's practical experience — has it ever received an access request? — is relevant evidence, but the EDPB warns against overweighting the mere absence of past requests, which may reflect nothing more than that the importer has not yet become interesting to an intelligence service.
Step 4 — Adopt supplementary measures. Where the transfer tool alone does not deliver essential equivalence, identify technical, organizational, or contractual measures calibrated to the specific risk found in Step 3. The measure must actually address the gap; a generic encryption clause does nothing about a clear-text remote-support scenario.
Step 5 — Take the procedural steps. Some measures trigger formalities — for example, notifying or seeking authorization from a supervisory authority where a chosen measure modifies the SCCs rather than merely supplementing them. Modifying the standard clauses can forfeit their pre-approved status, so this step is a trap for the overconfident drafter.
Step 6 — Re-evaluate, continuously. A TIA is a snapshot, and the destination's law moves. A new surveillance statute, a fresh court ruling, an expansion of a government-access power, the lapse of a vendor's certification — any of these can invalidate the assessment, and the organization must stand ready to suspend or terminate the transfer when the basis erodes.
The burden is genuine. An organization with sprawling flows may need dozens or hundreds of assessments, each requiring country-specific legal research and a documented conclusion produced with real diligence, because supervisory authorities can and do demand the file during an audit or an enforcement action. The work is closely kin to the privacy impact assessment discipline organizations already run for high-risk processing, and the two should share governance rather than duplicate it. A compact template keeps each TIA complete and audit-ready:
| Assessment element | Documentation to capture |
|---|---|
| Data categories transferred | Inventory of the personal data types in scope |
| Recipient identification | Name, location, role (controller / processor / sub-processor) |
| Transfer purpose | The business justification for the flow |
| Legal basis | Adequacy, SCC module, BCR, or derogation |
| Destination legal analysis | Surveillance and government-access law, oversight, remedies (Essential Guarantees) |
| Practical experience | The importer's history (or absence) of government requests, with caveats |
| Supplementary measures | The technical, organizational, and contractual protections adopted |
| Re-evaluation triggers | The events that will require the TIA to be refreshed |
| Author and date | Who assessed, who approved, and when |
A worked hypothetical sharpens the point. Suppose Halcyon, as a processor, wants to route EU customer support tickets to its Manila desk so agents can read and resolve them. Step 1 reveals the flow. Step 2 identifies SCCs (Module 3, processor to sub-processor) as the tool, since the Philippines has no EU adequacy decision. Step 3 requires Halcyon to study Philippine surveillance and government-access law against the Essential Guarantees. Step 4 confronts the ugly fact that support agents need to read tickets in clear text, so encryption cannot wall off access — pushing Halcyon toward organizational measures (tight access controls, redaction of sensitive fields before routing, a documented government-request protocol) and an honest judgment about residual risk. Step 6 commits Halcyon to revisit the assessment if Philippine law changes. The TIA might conclude the transfer can proceed with measures; it might also conclude that certain sensitive categories should never leave the EEA. Either way, the analysis — not the contract — is what does the legal work.
Supplementary Measures: Three Families, and Where Each One Breaks
When a TIA reveals that the destination's law may stop the importer from honoring the SCCs, the organization faces three options and no fourth: abandon the transfer, implement supplementary measures that restore essential equivalence, or — if no measure can close the gap — conclude that the transfer is unlawful and must not proceed. The EDPB's Recommendations 01/2020 catalog measures in three families: technical, organizational, and contractual. They are not equally powerful, and the differences are the whole ballgame.
Technical measures are the strongest, because they can make the importer's vulnerability irrelevant. If the importer cannot read the data in intelligible form, then it does not much matter whether local law could compel it to hand the data over — there is nothing useful to hand over. Encryption is the paradigm. But encryption's protective value collapses or survives entirely on key management. The EDPB is explicit: encryption protects a transfer only if the keys are held solely by the exporter, or by entities in the EEA or an adequate country, and are kept out of the importer's reach and the reach of the importer's government. A cloud arrangement in which the provider holds the keys earns little credit, because the provider can be compelled to decrypt. (Practical Law's note on Encryption for Cross-Border Data Transfers Under the GDPR makes the same point: encryption is a "crucial tool" precisely because it can minimize the risk of government access — but only when the keys are controlled outside the importer's jurisdiction, with robust algorithms, properly generated keys, and no exploitable implementation flaw.) Pseudonymization works where the exported data cannot be re-identified without additional information the exporter alone keeps in the EEA. Split or multi-party processing distributes data elements across independent processors so that no single one holds enough to identify anyone — powerful in theory, architecturally demanding in practice.
The honest, uncomfortable limit is that technical measures fail wherever the importer must see the data in the clear to do its job. Remote IT support reaching into a live HR system, a SaaS application that must process customer records to render its features, a payroll bureau that must read salaries to cut checks — in each, clear-text access is the service, and encryption cannot prevent compelled disclosure through the importer. The EDPB says so directly, identifying scenarios in which no effective supplementary measure exists. This is precisely the bind a clear-text SaaS provider like Halcyon faces, and pretending otherwise is how organizations end up with fines.
Organizational measures don't prevent access; they reduce its likelihood and surface it when it happens. Strict, role-based access controls narrow who can reach transferred data. Documented government-request protocols — legal review of every demand, notification to the exporter where lawful, and a commitment to challenge overbroad or unlawful requests — turn a panicked moment into a governed process. Transparency reporting and, in the right jurisdictions, warrant-canary arrangements (regular affirmative statements that no government request has been received, so that silence becomes a signal) add a monitoring layer. None of these stops a lawful order, but together they shrink exposure and create the documentary trail a TIA needs.
Contractual measures strengthen the importer's promises — but cannot rewrite the law it lives under. The EDPB is emphatic that a contract cannot override mandatory local law compelling disclosure; a clause promising never to disclose may simply expose the importer to penalties without preventing the disclosure. Within that limit, enhanced audit rights, prompt-notification obligations, commitments to exhaust legal remedies against excessive requests, and warranties about the absence of back doors all serve genuine supporting roles. The discipline of drafting these obligations precisely — and making them enforceable — overlaps with the craft we describe in drafting enforceable non-disclosure agreements for technology transactions: a beautifully worded confidentiality or non-disclosure obligation is worthless if a superior legal command can compel its breach, and recognizing that ceiling is the beginning of competent drafting.
The interplay of measure and scenario, distilled:
| Scenario | Technical measure | Organizational measure | Likely effectiveness |
|---|---|---|---|
| Cloud storage, exporter holds keys | Strong encryption (e.g., AES-256), exporter-controlled keys | Access logging, audit rights | High |
| Cloud storage, provider holds keys | Encryption alone insufficient | Governance and warrant procedures | Low–Medium |
| Remote IT support (clear-text access) | None effective | Access restrictions, transparency reports | Low |
| Analytics on pseudonymized data | Pseudonymization, exporter holds re-identification key | Purpose limitation | High |
| Payroll (clear text required) | None effective | Strict access controls, contractual commitments | Low |
The sobering conclusion the EDPB invites — and that too many organizations dodge — is that some routine business arrangements are not sustainably compatible with GDPR transfer rules for some destinations. There is no clever clause for a clear-text transfer to a jurisdiction whose surveillance law fails the Essential Guarantees. The disciplined response is to run the TIA clear-eyed, accept that the answer may be "no," and let that answer drive a business-process redesign — regional data residency, EEA-only processing for sensitive categories, or a different vendor — rather than papering over the gap and hoping no regulator notices.
Binding Corporate Rules: The Enterprise Solution for Intra-Group Flows
For a multinational that shovels personal data among its own subsidiaries across a dozen countries, signing module-by-module SCCs with every affiliate is a Sisyphean contracting exercise. Binding Corporate Rules (BCRs) are the bespoke alternative: a single set of legally binding internal rules, adopted by a corporate group and approved by a supervisory authority, that governs all intra-group transfers out of the EEA under Article 47.
The advantages are structural. BCRs give a group one coherent compliance framework instead of a patchwork of bilateral agreements that drift out of sync. They demonstrate sustained, documented engagement with data protection, which can shape how a regulator perceives the organization when something goes wrong. And — unlike an adequacy decision — they cannot be invalidated by a change in any single destination's law, because they are the group's own enforceable commitments rather than a government's promise about a country.
The cost is the catch. BCR approval runs through a "BCR Lead" supervisory authority — typically where the group's EEA headquarters or main decision-making center sits — followed by co-reviewer authorities and an EDPB opinion under the consistency mechanism. Processing times commonly span eighteen months to three years. The EDPB's March 2025 update to its BCR cooperation procedure tries to streamline the dance by formalizing communication "rounds," but approval remains a major undertaking measured in years and legal spend.
Post-Schrems II, BCRs are not exempt from the new substance. The EDPB's Recommendations 1/2022 on controller BCRs (adopted June 2023) fold the Schrems II logic directly into the BCR requirements: a group must now document its assessment of whether it can actually comply with the BCRs in the face of government access requests in the relevant destinations — a TIA-equivalent baked into the rules themselves. Holders of previously approved BCRs were required to update them accordingly, and pre-GDPR BCRs must undergo fresh approval when updated, because the changes are substantive rather than cosmetic.
The decision is a footprint question. A group with simple arrangements — transfers mainly to an adequate country, or to a manageable handful of processors — usually finds SCCs faster and cheaper. A group with complex, high-volume intra-group transfers across many non-adequate jurisdictions, especially one expecting that footprint to grow, is the right candidate for the investment. These are the same kinds of structural choices that arise when a business designs its corporate architecture in the first place, a subject we take up in corporate structuring and running multiple businesses: where the decision-making center sits, and how the entities relate, shapes which transfer mechanism is even available.
Article 49 Derogations: The Narrow Safety Valve
Article 49 lets data move in the absence of an adequacy decision and appropriate safeguards — but the exceptions are deliberately, almost grudgingly, narrow. The EDPB's Guidelines 2/2018 insist that derogations are construed restrictively and, as a rule, apply only to processing that is occasional and non-repetitive. They are a safety valve, not a plumbing system, and treating them as a substitute for SCCs is a common and expensive misreading.
The most-invoked derogations are three. Explicit consent requires that the data subject be told about the specific risks of the transfer — including the absence of adequate protection and the possibility of government access — and then freely and explicitly agrees; consent buried in a privacy notice or bundled into terms of service will not do, and it can be withdrawn. Contractual necessity covers transfers genuinely necessary to perform a contract between the data subject and the controller (or to take pre-contractual steps at the data subject's request) — for example, transmitting a traveler's booking details to a hotel abroad — but it does not reach broader commercial arrangements that merely benefit the controller. Compelling legitimate interests is the narrowest of all: available only for transfers that are not repetitive, concern a limited number of data subjects, are necessary for compelling interests that are not overridden by the data subject's rights, and come with documented safeguards and notification to the supervisory authority.
In practice, derogations rarely support business-as-usual. A company facing foreign litigation might appropriately invoke a derogation to transfer specific employee records to respond to a discovery demand — and the tension between U.S. discovery obligations and EU data-protection law is a recurring headache that the derogations only partly relieve. But that same company cannot lean on consent or contractual necessity to legitimize the routine, ongoing sharing of HR data with its non-EEA subsidiaries; that is exactly the recurring, systematic flow the derogations are designed not to cover. The honest rule of thumb: if the transfer is regular, structural, and central to operations, you need adequacy, SCCs, or BCRs — not a derogation.
How Business Models Bend the Analysis
Transfer rules do not land evenly. The same GDPR text produces very different burdens depending on how an organization is built.
Cloud and SaaS present the archetypal hard case, because the major providers operate planet-spanning infrastructure and the customer often cannot see, let alone control, where a given byte rests at a given moment. Where the provider is DPF-certified and the customer is comfortable with the framework's durability, the DPF offers a clean path. Otherwise, the cloud contract incorporates SCCs and the customer must run TIAs for the relevant processing locations. The encryption question dominates: if the provider must access data in the clear to deliver the service — as countless SaaS applications do — technical measures cannot defeat compelled disclosure, and the customer must decide whether organizational and contractual measures suffice or whether data residency is the only honest answer. Halcyon lives this from both sides at once: as a processor reassuring its EU customers, and as a controller depending on its own U.S. and Asian vendors.
AI and machine learning layer new wrinkles onto old rules. Training data must reach training infrastructure, which frequently sits outside the EEA, so the act of assembling a training corpus can itself be a transfer; and model outputs can reflect — sometimes reconstruct — personal data from the training set, raising the question whether an inference is itself personal data subject to Chapter V. The provenance and legal status of training data is a live and contested issue, as our analysis of copyright infringement claims against generative AI explores in the IP context, and the data-protection overlay only deepens it. Organizations training on personal data should map whether training transfers occur and on what basis; those deploying models should understand whether inference operations transfer data or generate outputs that are themselves personal data. The transfer questions sit inside the much larger compliance picture surveyed in artificial intelligence: key legal issues — a comprehensive overview, and they intersect sharply with the rules governing sensitive categories, a theme our piece on biometric data privacy laws and their impact on AI development develops — biometric identifiers are special-category data under Article 9, and transferring a face-recognition training set out of the EEA compounds a transfer problem with a sensitive-data problem.
Remote and distributed teams multiply transfers in ways that surprise people, because a "transfer" does not require shipping a file — remote access to EEA-stored data from a non-EEA location can itself be a transfer. An employee opening an HR record from a laptop while traveling abroad, a support engineer in a non-EEA country querying a central EU database — each is a flow to map and justify. This is the same boundary-dissolving dynamic that complicates trade-secret protection in the cloud era, which we examine in trade secrets in the age of remote work and cloud computing.
Advertising technology has drawn the most fire. Programmatic advertising and profiling generate dense, high-volume, cross-border flows, and regulators have noticed. Meta's record fine concerned data transferred in connection with advertising, so organizations whose business model runs on ad tech should assume heightened scrutiny and document accordingly. The same surveillance-and-access concerns that animate transfer law also animate the disputes over harvesting data in the first place, a connection our analysis of data scraping after hiQ v. LinkedIn traces from a different doctrinal direction.
The UK Dimension: A Parallel Regime, Renewed Through 2031
Brexit split the once-unified European data-protection space, and any organization touching UK-originating data now navigates a parallel-but-distinct regime. The UK GDPR, as retained and modified through the Data Protection Act 2018, mirrors the EU GDPR's transfer restrictions but operates under its own adequacy determinations and its own transfer tools, administered by the Information Commissioner's Office rather than the EDPB.
The headline development for cross-Channel planning is the renewal of the EU's adequacy decisions for the UK. Originally adopted in June 2021 (so that EU-to-UK flows could continue without extra safeguards), those decisions were due to lapse, and after a six-month technical extension in mid-2025 — prompted in part by the UK's enactment of the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025), which the Commission wanted to study before re-deciding — the Commission renewed adequacy on 19 December 2025, extending validity to 27 December 2031, subject to ongoing monitoring and a four-year review. There are two decisions, one under the GDPR and one under the Law Enforcement Directive. The upshot is welcome certainty: EU-to-UK personal data flows continue without SCCs or TIAs for the better part of a decade, provided UK standards do not diverge materially enough to put adequacy back in play.
For transfers from the UK to third countries, the toolkit differs in form if not in spirit. UK exporters may use the ICO's International Data Transfer Agreement (IDTA), in force since March 2022, or the EU SCCs paired with the UK Addendum, which retrofits the EU clauses for UK GDPR. The choice usually turns on whether the organization also handles EU-originating data: a UK-only operation may prefer the standalone IDTA, while a mixed-flow business often adopts EU SCCs plus the Addendum for administrative simplicity, running one instrument rather than two. The UK transition deadline for retiring legacy clauses ran to 21 March 2024, so a UK program should hunt for the same fossils as an EU one.
Transatlantic flows from the UK ride the UK-US Data Bridge, effective 12 October 2023, which extends the DPF to UK transfers. A U.S. organization must certify under both the main DPF and the UK Extension to receive UK personal data without additional mechanisms; for an already-certified organization, the UK Extension is a light add-on rather than a fresh project.
The decision matrix, in one place:
| Data origin | Destination | Recommended mechanism |
|---|---|---|
| UK only | US (DPF + UK Extension certified) | UK-US Data Bridge |
| UK only | Other non-adequate country | UK IDTA, or EU SCCs + UK Addendum |
| UK + EU | US (DPF certified) | DPF + UK Data Bridge |
| UK + EU | Other non-adequate country | EU SCCs + UK Addendum |
| EU only | UK | Adequacy decision (renewed Dec. 2025, valid to Dec. 2031) |
Enforcement: Where the Rules Get Teeth
Compliance budgets follow enforcement reality, and the post-Schrems II enforcement record has settled into clear, instructive patterns. The numbers are large enough to command attention in any boardroom:
| Year | Organization | Authority | Fine (EUR) | Core violation |
|---|---|---|---|---|
| 2023 | Meta Platforms | Irish DPC (per EDPB binding decision) | 1,200,000,000 | EU-US transfers without adequate safeguards |
| 2024 | Uber | Dutch DPA | 290,000,000 | EU-US driver-data transfers without an adequate mechanism |
| 2025 | TikTok | Irish DPC | 530,000,000 | Transfers to China without ensuring essential equivalence |
| 2024 | Irish DPC | 310,000,000 | Targeted-advertising processing (with transfer dimensions) | |
| 2024 | Clearview AI | Dutch DPA | 30,500,000 | Unlawful collection including international transfers |
(Enforcement figures move; cross-check against the DLA Piper GDPR Fines and Data Breach Survey and the CMS GDPR Enforcement Tracker before relying on a specific number.)
Three themes emerge. First, the Irish Data Protection Commission has become the de facto primary enforcer for transatlantic violations, because so many U.S. technology companies place their EU establishment in Ireland and the GDPR's one-stop-shop routes their cases to the Irish DPC as lead authority. That concentration cuts both ways: the Irish DPC was initially lenient on Meta, and the €1.2 billion figure arrived only after the EDPB's consistency mechanism produced a binding decision overriding the lead authority. The lesson for organizations is that a friendly lead regulator is no shield — the consistency mechanism is a live route to escalation when a national authority under-enforces.
Second, enforcement has moved beyond the United States. The TikTok fine turned on Chinese law that permits government access to data, with the regulator finding that the company had failed to assess the risk that Chinese surveillance legislation posed to essential equivalence. The TIA obligation is destination-agnostic: it applies to a transfer to Shanghai exactly as it applies to a transfer to Virginia, and "we only worried about the U.S." is not a defense.
Third, the penalties are calibrated to hurt even the largest firms. A nine- or ten-figure fine is not a cost of doing business; it is a board-level event. The unmistakable signal is that transfer compliance cannot be a checkbox, that an honest TIA is cheaper than a fine by orders of magnitude, and that the gap between "we papered the SCCs" and "we assessed the transfer" is exactly the gap the regulators are fining.
Building a Transfer Compliance Program
Turning all of this into operations requires a program, not a project — something that runs continuously rather than a binder assembled once and shelved. A workable program unfolds in six phases.
Phase 1 — Map and inventory. Before assessing anything, catalog what actually happens. Engage business units, IT, procurement, and vendor managers, and record every instance where personal data leaves the EEA (treating UK flows as a separate category), the identity and location of each recipient, the purpose, the data categories, the volume and frequency, and the legal basis currently claimed. Expect shadow IT, undocumented sub-processing chains, and inherited legacy arrangements to surface here — they almost always do, and they are usually the riskiest flows precisely because no one was watching them.
Phase 2 — Assign mechanisms. For each flow, choose the tool and verify it. For DPF transfers, confirm current certification on the official Data Privacy Framework List and that the certification covers the relevant data types. For SCC flows, implement the correct module with fully completed annexes. For intra-group flows, confirm they fall within an approved BCR's scope. For anything else, decide whether a (narrow) derogation genuinely applies.
Phase 3 — Conduct TIAs. For every flow riding on SCCs or other Article 46 safeguards, run a documented six-step TIA. Group genuinely homogeneous transfers to avoid reinventing identical analyses, standardize templates, and define governance: who assesses, who approves, and how often the assessment is refreshed.
Phase 4 — Implement supplementary measures. Where TIAs reveal gaps, design and deploy measures — technical ones often requiring infrastructure changes (exporter-held keys, regional residency, pseudonymization pipelines), organizational ones requiring policy and training, contractual ones requiring negotiation with importers. Where no measure can close the gap, escalate the business decision honestly rather than burying it.
Phase 5 — Document for accountability. The GDPR's accountability principle demands demonstrable compliance. Keep an organized, retrievable record of mappings, mechanism assignments, TIA analyses, measures, and monitoring, so the file can be produced the day a supervisory authority asks — not reconstructed in a panic.
Phase 6 — Monitor continuously. Build processes to catch triggering events: new or terminated flows, lapses in DPF certification, changes in adequacy status, new surveillance legislation or court rulings in destination countries, and evolving EDPB or supervisory-authority guidance. The DPF appeal alone guarantees that monitoring will not be idle work.
A maturity model helps an organization locate itself and plot a path forward:
| Maturity level | Characteristics |
|---|---|
| Ad hoc | No systematic program; transfers happen on business need without structured assessment |
| Documented | Flows mapped; mechanisms identified; basic TIA documentation exists |
| Managed | Standardized TIA templates and governance; defined approvals; regular review cycles |
| Optimized | Automated monitoring of trigger events; integration with vendor management; proactive risk assessment |
Most organizations begin somewhere between ad hoc and documented and discover, around Phase 1, that they were less compliant than they believed. That discovery is not a failure of the program; it is the program working.
Future Outlook
Several developments deserve a standing place on the watch list. The DPF's near-term stability rests on the General Court's September 2025 ruling, but that stability is provisional: Latombe's appeal, filed 31 October 2025, returns the framework's validity to the Court of Justice, and NOYB has telegraphed challenges aimed at post-2023 developments such as the FISA Section 702 reauthorization. Because the General Court expressly froze its analysis at July 2023 conditions, later changes in U.S. law or oversight could furnish fresh grounds. Keep DPF contingency plans current even while relying on the framework. The UK adequacy renewal through December 2031 buys planning certainty, but it too is conditioned on monitoring and could be revisited if UK standards drift. The Commission continues to weigh additional countries for adequacy, each of which would simplify the affected flows. And national guidance keeps thickening — the CNIL's January 2025 practical guide on Transfer Impact Assessments is a good example of the country-level detail now supplementing the EDPB's recommendations, and worth consulting when a flow touches France.
Conclusion: Compliance as an Operating Discipline
International data transfers sit at the collision point of fundamental rights, technical architecture, and global commerce, and the framework that Schrems II set in motion asks organizations to accept genuine, sometimes inconvenient constraints on how they process European personal data. For many, that means uncomfortable conversations: whether a flow can continue as designed, whether an architecture needs reworking so the exporter holds the keys, whether a vendor's sub-processing chain reaches a jurisdiction that no measure can redeem. Some transfers will not survive an honest assessment, and the discipline is to let that conclusion drive a redesign rather than a rationalization.
But the framework is navigable, not impossible. The DPF — durability concerns and all — currently supports transatlantic transfers to certified organizations. SCCs, implemented with real TIAs and effective supplementary measures, legitimize transfers to a broad range of destinations. BCRs offer a durable solution to multinationals willing to invest. The dividing line runs between organizations that treat these requirements as legal requirements and those that treat them as compliance theater. The first group reads destination-country law, implements measures with actual protective effect, and monitors for change; the second signs the standard clauses, calls the supplementary-measures section boilerplate, and assumes a risk that has cost the world's largest technology companies more than a billion euros at a stroke.
For Halcyon Cloud, sustainable compliance is not a binder but a habit — mapped flows, honest assessments, real safeguards, and the readiness to change course the day the law does. That readiness is the through-line of the whole subject, and it pays dividends beyond privacy, because the same instinct serves an organization across every fast-moving corner of technology law, from platform liability for user-generated content to the IP questions raised by machine-made work in AI-generated inventions. The organizations that build adaptable programs will be the ones still operating, uninterrupted, when the next framework falls.
Frequently Asked Questions
Do I need a Transfer Impact Assessment for transfers to a DPF-certified U.S. company? No. A transfer to a U.S. recipient with a current, scope-appropriate certification under the EU-U.S. Data Privacy Framework rides on the Commission's adequacy decision, and adequacy-based transfers do not require a TIA. Two caveats: confirm the certification is current on the official DPF List and that it covers the relevant data categories (HR data require a separate election), and keep an alternative mechanism ready given the pending Latombe appeal.
Are the old (pre-2021) Standard Contractual Clauses still valid? No. The 2021 SCCs (Commission Implementing Decision (EU) 2021/914) replaced the 2001 and 2010 clauses, and the transition period for relying on the legacy clauses has closed. Any contract still resting on pre-2021 clauses is exposed; an SCC audit should specifically hunt for these in older vendor agreements and data processing addenda.
Does encryption automatically make a transfer compliant? No. Encryption can be a powerful supplementary measure, but only if the keys are held by the exporter or by entities in the EEA or an adequate country — out of the importer's reach and its government's reach — using strong algorithms and sound key management. Where the importer needs clear-text access to do its job (most SaaS, remote support, payroll), encryption cannot prevent compelled disclosure, and the EDPB recognizes scenarios where no technical measure suffices.
Is remote access from outside the EEA a "transfer"? Generally yes. A transfer does not require shipping a file. Remote access to EEA-stored personal data from a non-EEA location — a traveling employee, an offshore support engineer querying a central database — can itself be a transfer requiring a lawful mechanism and, where applicable, a TIA.
Can I rely on consent (an Article 49 derogation) for routine business transfers? Almost never. Article 49 derogations are construed restrictively and apply to occasional, non-repetitive transfers. Consent must be explicit and informed about the transfer's specific risks, and it is withdrawable. Regular, structural flows central to operations need adequacy, SCCs, or BCRs — not a derogation.
SCCs or Binding Corporate Rules — which should we use? It depends on footprint. Organizations with simple arrangements (transfers mainly to an adequate country or a manageable set of processors) usually find SCCs faster and cheaper. Groups with complex, high-volume intra-group transfers across multiple non-adequate jurisdictions are better candidates for BCRs, accepting an approval process commonly measured in eighteen months to three years.
Do these rules apply to transfers to China and other non-U.S. countries? Yes. The TIA obligation is destination-agnostic. The TikTok fine (€530 million, 2025) addressed transfers to China and the company's failure to assess Chinese surveillance law against the European Essential Guarantees. Any transfer to a non-adequate country requires the same analysis applied to the U.S.
Related Articles
- Biometric data privacy laws and their impact on AI development
- Artificial intelligence: key legal issues — a comprehensive overview
- Data scraping after hiQ v. LinkedIn: copyright, contract, and computer fraud claims
- Drafting enforceable non-disclosure agreements for technology transactions
- Trade secrets in the age of remote work and cloud computing
- Drafting software license agreements: key terms and negotiation points
- Copyright infringement claims against generative AI
- Conducting privacy impact assessments
- Corporate structuring and running multiple businesses
Selected Authorities
The authorities and figures below were current as of publication. This area moves quickly — the Data Privacy Framework is on appeal, adequacy decisions are subject to monitoring, and enforcement figures accumulate. Verify the current state of the law and consult qualified privacy counsel before relying on any point here.
Court Decisions
- Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems, Case C-311/18, EU:C:2020:559 (CJEU, 16 July 2020) (Schrems II)
- Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (CJEU, 6 Oct. 2015) (Schrems I)
- Philippe Latombe v. European Commission, Case T-553/23 (General Court, 3 Sept. 2025), appeal filed to the Court of Justice 31 Oct. 2025
EU Instruments and Decisions
- Regulation (EU) 2016/679 (GDPR), Chapter V (Arts. 44–50), including Arts. 45, 46, 47, and 49
- Commission Implementing Decision (EU) 2023/1795 on the EU-U.S. Data Privacy Framework (10 July 2023)
- Commission Implementing Decision (EU) 2021/914 on Standard Contractual Clauses (4 June 2021)
- EU adequacy decisions for the United Kingdom (originally June 2021; renewed 19 Dec. 2025, valid to 27 Dec. 2031)
- Charter of Fundamental Rights of the European Union, Arts. 7, 8, 47
Guidance
- EDPB Recommendations 01/2020 on measures that supplement transfer tools (final, adopted 18 June 2021)
- EDPB Guidelines 2/2018 on derogations under Article 49
- EDPB Recommendations 1/2022 on controller Binding Corporate Rules (adopted June 2023)
- EDPB European Essential Guarantees for surveillance measures
- CNIL, Practical Guide on Transfer Impact Assessments (January 2025)
U.S. and UK Measures
- Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (7 Oct. 2022)
- 28 C.F.R. Part 201 (Data Protection Review Court regulation)
- Foreign Intelligence Surveillance Act, Section 702; Executive Order 12333
- UK ICO International Data Transfer Agreement and UK Addendum (in force March 2022)
- UK Data (Use and Access) Act 2025 (Royal Assent 19 June 2025)
- UK-US Data Bridge (effective 12 Oct. 2023)
Enforcement Trackers
- DLA Piper GDPR Fines and Data Breach Survey
- CMS GDPR Enforcement Tracker
For help mapping data flows, conducting Transfer Impact Assessments, or selecting and implementing transfer mechanisms, our intellectual property and technology practice advises controllers and processors on cross-border data protection compliance.