GDPR Data Transfers After Schrems II: SCCs, TIAs, and DPF
The Court of Justice of the European Union's decision in Data Protection Commissioner v. Facebook Ireland and Maximilian Schrems (C-311/18)—commonly known as Schrems II—fundamentally reshaped how organizations can lawfully transfer personal data outside the EU/EEA. For compliance professionals managing international data flows, understanding the post-Schrems II landscape is no longer optional; it is essential to avoiding significant regulatory and operational risk.
Prior to Schrems II, many organizations relied on the Privacy Shield framework to transfer personal data to the United States. The CJEU invalidated Privacy Shield in July 2020, finding that U.S. surveillance laws—particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333—were incompatible with GDPR's guarantee of an essentially equivalent level of data protection. This decision forced organizations to reassess their entire data transfer architecture almost overnight.
The Legal Foundation: Standard Contractual Clauses and Article 46
Under GDPR Article 46, transfers of personal data to third countries are lawful only where "the controller or processor has provided appropriate safeguards." Standard Contractual Clauses (SCCs) represent one of the primary mechanisms satisfying this requirement. The European Commission has approved two sets of SCCs: those for transfers from controller to processor, and those for transfers from controller to controller or processor to processor.
However, Schrems II clarified that SCCs alone are insufficient. The CJEU emphasized that organizations cannot rely on contractual terms to override public law restrictions in the recipient country. This distinction is critical: SCCs create binding contractual obligations, but they cannot constrain foreign governments' surveillance powers. Therefore, executing an SCC does not automatically ensure GDPR compliance if the destination country permits mass surveillance incompatible with GDPR principles.
Practically speaking, you must now conduct a supplementary assessment of the legal framework governing data processing in the recipient country. This assessment—often called a "Schrems II assessment" or "transfer impact assessment"—must examine whether recipient-country laws provide adequate safeguards against government access to data.
Transfer Impact Assessments: The Mandatory Supplementary Step
A Transfer Impact Assessment (TIA) is a methodical evaluation of whether laws in the destination country—particularly national security and surveillance legislation—create risks that SCCs cannot mitigate. The European Data Protection Board's Recommendations 01/2020 and subsequent guidance emphasize that this assessment must be document-based and fact-specific to each transfer scenario.
Your TIA should address: (1) whether the destination country's laws permit governmental access to personal data; (2) whether such access is limited to what is necessary and proportionate; (3) the existence and effectiveness of judicial oversight and redress mechanisms; and (4) the practical enforceability of individuals' rights in that jurisdiction. For U.S. transfers specifically, the assessment must examine FISA Section 702, Executive Order 12333, and the limited rights available to non-U.S. citizens under the Privacy Act.
If your TIA identifies risks that SCCs cannot adequately address, GDPR Article 46 permits supplementary technical and organizational measures. These might include encryption (where you retain the encryption key), purpose limitation contractual terms, or data minimization strategies. However, be realistic: supplementary measures cannot eliminate fundamental incompatibilities between GDPR's principles and destination-country surveillance laws.
The Data Privacy Framework: A New Hope for U.S. Transfers
In July 2023, the European Commission adopted an adequacy decision establishing the EU-U.S. Data Privacy Framework (DPF), replacing Privacy Shield. The DPF incorporates commitments from the U.S. government, including new limitations on bulk surveillance and enhanced redress mechanisms for EU individuals through a new independent Data Protection Review Court.
For organizations transferring data to U.S. recipients, the DPF is now the preferred legal mechanism. Under GDPR Article 45, adequacy decisions eliminate the need for case-by-case transfer impact assessments, significantly reducing compliance friction. However, the DPF applies only to organizations that self-certify and maintain compliance with DPF principles—analogous to the former Privacy Shield framework.
Compliance professionals should verify that U.S. recipients are DPF-certified before relying on this mechanism. If a recipient is not certified, or if the transfer involves a non-DPF jurisdiction, you must revert to SCCs supplemented by a documented TIA.
Practical Implementation Recommendations
First, inventory all international data transfers. For each transfer, determine whether it qualifies for DPF coverage or requires SCCs. Second, conduct and document a TIA for all non-DPF transfers, particularly to jurisdictions with broad surveillance regimes. Third, establish a supplementary measures framework proportionate to identified risks. Fourth, ensure that Data Processing Agreements (DPAs) between you and your processor recipients explicitly incorporate the relevant SCC terms and acknowledge the TIA findings. Finally, maintain this documentation as evidence of compliance—regulatory inquiries will focus on whether you conducted an adequate assessment, not whether you reached a particular conclusion.
Schrems II did not prohibit international data transfers; it required that organizations conduct meaningful due diligence before transferring. Compliance professionals who approach this requirement methodically will find lawful pathways for necessary data flows while maintaining robust protection for individual rights.