Cross-Border Transfer Decision Tree

Module 07 · Lesson 05

Moving data across borders

Transferring personal data outside the EEA is legally complex. This decision tree guides you through the mechanisms available after Schrems II.

Step 1

Is the destination adequate?

Check

Adequacy decision exists? EC declares the country provides essentially equivalent protection. If yes → transfer is permitted without additional safeguards.

Adequate countries	Status
UK, Japan, South Korea, Canada (commercial), Israel, Switzerland, New Zealand	Active
United States (EU-US Data Privacy Framework)	Active but challenged
China, Russia, India	No adequacy

If no adequacy → proceed to Step 2.

Step 2

Use Standard Contractual Clauses

SCCs

Pre-approved contract templates between data exporter and importer. New SCCs adopted June 2021 — old versions expired December 2022.

TIA Required

Transfer Impact Assessment: Post-Schrems II, you must evaluate whether the destination country's laws undermine SCC protections.

Supplement

If TIA fails: Add technical supplementary measures — encryption, pseudonymization, data localization. If measures are insufficient → transfer must stop.

Step 3

Alternative mechanisms

BCRs

Binding Corporate Rules

Internal privacy rules approved by a DPA for intra-group transfers. Complex (12-18 months), mainly large multinationals.

Article 49

Derogations

Explicit consent, contract performance, legal claims, vital interests. Narrow scope — cannot use for systematic transfers.

BCRs are a one-time investment for ongoing intra-group transfers. Article 49 derogations are last resort only.

Schrems II Impact

Why everything changed in 2020

The CJEU invalidated EU-US Privacy Shield and added requirements to SCCs:

TIA

Evaluate destination country surveillance laws. Do they undermine the protection SCCs provide?

Supplement

If laws are inadequate, add technical measures: encryption where importer cannot access plaintext, pseudonymization with keys retained in EU.

Stop

If no supplementary measure can bridge the gap → you cannot transfer the data. Period.

EU-US Data Privacy Framework

The successor to Privacy Shield

Adopted July 2023 based on US Executive Order 14086 limiting intelligence agency access.

How it works

US companies self-certify

Certified companies are considered adequate for EU transfers. Check the DPF list before transferring.

The risk

Schrems III?

Privacy advocates predict another legal challenge. NOYB has signaled intent to challenge. Build contingency plans.

Key Takeaway

The decision tree

Remember this

1. Adequacy decision? → Transfer freely.

2. No adequacy? → SCCs + TIA + supplementary measures.

3. Intra-group? → Consider BCRs (one-time investment).

4. None of the above? → Article 49 derogations (narrow, last resort).

5. Can't make it work? → Don't transfer. Keep the data in the EEA.

Always have a contingency plan for US transfers — the legal landscape can change overnight.

1 / 7