International Data Transfers After the EU–US Data Privacy Framework

Sending personal data outside the European Economic Area is one of the most litigated corners of the GDPR. After Schrems II struck down Privacy Shield in 2020, thousands of businesses were left scrambling. The EU–US Data Privacy Framework, adopted in July 2023, restored a clear route — but only for certified US recipients, and only while it survives the inevitable legal challenge.

The four routes out of the EEA

• An adequacy decision — the country (or, for the US, a certified company under the Data Privacy Framework) is deemed to offer essentially equivalent protection.
• Appropriate safeguards — most commonly standard contractual clauses (SCCs) or binding corporate rules.
• A transfer impact assessment to confirm the safeguard actually works in the destination country.
• A specific derogation under Article 49 for occasional, narrowly-defined transfers.

If your recipient is in the US

Check whether they are actively self-certified under the Data Privacy Framework for the relevant data type. If they are, you can transfer without additional safeguards. If they are not — or their certification lapses — you fall back to SCCs plus a transfer impact assessment.

Everywhere else

For destinations without an adequacy decision, SCCs remain the workhorse. But SCCs are not a rubber stamp: Schrems II requires you to assess the destination country's laws and add supplementary measures — such as encryption — where government access is a real risk.

Do not forget remote access

A 'transfer' is not only about servers. Support staff, developers or analysts viewing EU data from outside the EEA counts too. Map human access, not just data storage.

Assume every transfer mechanism may one day be challenged. The organisations that sleep well are the ones whose paperwork is already in order.

Our team designs transfer frameworks that hold up under scrutiny — mapping flows, selecting mechanisms and drafting the assessments regulators now expect to see.