If there's one area of GDPR that causes the most confusion, it's international data transfers. The rules are complex, they've been disrupted by court decisions, and the practical implications are still being worked out. I've seen experienced privacy professionals throw up their hands at this topic.
But if you're running a business that deals with EU personal data and uses any US-based services—which is most businesses these days—you need to understand the basics. Let me try to make sense of it.
Why Transfers Are Restricted
GDPR restricts transfers of personal data outside the European Economic Area (EEA) to ensure that data doesn't flow to countries with weaker privacy protections. The idea is that EU residents' data should be protected by EU standards regardless of where it ends up.
Without restrictions, companies could simply move data to countries with minimal privacy laws, and GDPR's protections would be meaningless. The transfer restrictions are how GDPR maintains its reach globally.
A "transfer" includes any transmission of personal data to a recipient in a third country. This covers everything from storing data on US-based cloud servers to sending customer lists to an outsourcing partner in India to accessing EU employee records from an office in Singapore.
Legal Mechanisms for Transfers
GDPR provides several mechanisms for legally transferring data outside the EEA:
Adequacy Decisions
The European Commission can determine that a country provides "adequate" data protection comparable to the EU. If a country has an adequacy decision, you can transfer data there freely—no additional safeguards required.
Countries with adequacy decisions include Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, and Uruguay.
Notably absent: the United States (mostly), China, India, and many other major economies.
The US Situation
The US has had a complicated history with EU data transfers. The original Safe Harbor framework was invalidated by the Schrems I decision in 2015. Its replacement, Privacy Shield, was invalidated by Schrems II in 2020.
In 2023, the EU-US Data Privacy Framework was adopted, providing a new adequacy decision for transfers to US companies that certify under the framework. This allows transfers similar to how Privacy Shield worked—but only for participating companies, and there are concerns that this framework might also face legal challenge.
If you're transferring data to a US company certified under the Data Privacy Framework, that certification provides a legal basis. For non-certified companies, you need other mechanisms.
Standard Contractual Clauses (SCCs)
Standard Contractual Clauses are EU-approved contract terms that the data exporter and importer sign. They commit both parties to data protection obligations that aim to provide equivalent protection to what the data would receive in the EU.
SCCs come in different modules depending on the relationship between the parties (controller-to-controller, controller-to-processor, processor-to-processor, processor-to-controller). You use the modules that match your situation.
Post-Schrems II, SCCs alone aren't always sufficient. You must also conduct a "transfer impact assessment" to determine whether the destination country's laws might prevent the importer from complying with the SCCs. If they might, you need supplementary measures.
Binding Corporate Rules (BCRs)
Binding Corporate Rules are internal policies approved by EU data protection authorities that govern transfers within a corporate group. They're most useful for multinational companies that frequently move data between entities in different countries.
BCRs require significant effort to establish—typically years of development and regulatory approval. But once in place, they provide a sustainable framework for intra-group transfers without negotiating individual agreements for each transfer.
Derogations
GDPR provides derogations (exceptions) allowing transfers in specific situations:
- Explicit consent (after being informed of risks)
- Transfers necessary for contract performance
- Transfers necessary for important public interest reasons
- Transfers necessary for legal claims
- Transfers necessary to protect vital interests
Derogations are meant to be exceptions, not routine practices. Relying on consent for systematic, ongoing transfers is generally not appropriate. The contract necessity derogation is narrowly interpreted. Use derogations for occasional, specific needs—not as your primary transfer mechanism.
The Transfer Impact Assessment
Since Schrems II, organizations using SCCs must conduct transfer impact assessments (TIAs). These assessments evaluate whether the laws and practices of the destination country might prevent the data importer from complying with the SCCs.
Key considerations include:
- Does the destination country have surveillance laws allowing government access to personal data?
- Do those laws meet EU standards for necessity and proportionality?
- Are there effective legal remedies for individuals whose data is accessed?
- In practice, has the government used these powers to access data from similar companies?
For transfers to the US specifically, the concern is primarily Section 702 of FISA and Executive Order 12333, which authorize intelligence surveillance of foreign communications. The Schrems II court found that these programs lacked adequate safeguards and remedies for EU individuals.
The Data Privacy Framework addresses some of these concerns for certified companies. For non-certified companies, the assessment remains relevant.
Supplementary Measures
If your TIA identifies concerns, you need supplementary measures to provide additional protection. The European Data Protection Board has issued guidance on possible measures:
Technical measures: Encryption where the importer doesn't have the keys, pseudonymization, split processing where meaningful data remains in the EU.
Contractual measures: Additional commitments from the importer—like committing to challenge access requests, notifying the exporter of requests, and taking legal action where possible.
Organizational measures: Internal policies, security measures, governance structures at the importer.
Not all transfers can be made compliant with supplementary measures. If the data must be available in clear text to the importer, and that importer is subject to problematic access laws, technical measures may not be feasible.
Practical Implications
Cloud Services
Most major cloud providers (AWS, Google Cloud, Microsoft Azure) offer GDPR compliance tools and have certified under the Data Privacy Framework where applicable. They typically offer SCCs in their terms of service and provide documentation for transfer assessments.
If you're using a major cloud provider with appropriate configurations, the transfer mechanisms are largely handled for you—though you should still verify the arrangements and document your compliance.
SaaS and Third-Party Services
Every third-party service that processes EU personal data and involves data leaving the EEA requires attention. Your email marketing platform, CRM, analytics tools, customer support software—check where data goes and what transfer mechanisms are in place.
Reputable providers have updated their terms post-Schrems II. Look for SCCs in their data processing agreements and any supplementary documentation they provide about transfer safeguards.
Intra-Group Transfers
Multinational companies with entities in and outside the EEA need transfer mechanisms for sharing employee data, customer data, and business information. SCCs can work for specific transfers; BCRs might be worth the investment for organizations with complex, ongoing transfer needs.
What Regulators Are Actually Doing
Enforcement of transfer rules has been increasing. Several EU data protection authorities have issued decisions finding specific transfer arrangements non-compliant, particularly around Google Analytics and Facebook.
The approach has varied by country—some authorities have been aggressive, others more measured. But the trend is toward stricter enforcement, and organizations relying on outdated transfer mechanisms are at increasing risk.
Making Sense of Complexity
International data transfers are genuinely complicated. Here's a practical approach:
- Map your transfers. Know what data goes where and why.
- Identify your mechanisms. For each transfer, determine what legal basis applies—adequacy, Data Privacy Framework certification, SCCs, etc.
- Conduct assessments. For SCC-based transfers, complete transfer impact assessments. Document your analysis and any supplementary measures.
- Review vendor terms. Ensure your contracts include appropriate data protection provisions and transfer mechanisms.
- Stay updated. This area of law is evolving. The Data Privacy Framework may face legal challenges. New guidance continues to emerge.
Perfect compliance with every nuance of transfer law is aspirational for most organizations. The goal is demonstrable good faith effort—documented assessment, reasonable safeguards, and ongoing attention to developments.
The organizations that get in trouble are usually the ones who haven't thought about transfers at all, not the ones who made reasonable decisions about managing the risks.