International Data Transfers

International Data Transfers under the GDPR

Chapter V of the GDPR (Articles 44-49) establishes strict rules for transferring personal data to third countries (outside the EU/EEA) or to international organisations. The basic principle is clear: the level of protection guaranteed by the GDPR must not be undermined by the transfer.

This topic has become one of the most complex areas of GDPR compliance, particularly following the Schrems II decision by the Court of Justice of the EU (CJEU) in 2020 and the subsequent adoption of the EU-US Data Privacy Framework in 2023.

Transfer Mechanisms

The GDPR provides several mechanisms for lawful international data transfers, in descending order of simplicity:

1. Adequacy Decisions (Art. 45)

The European Commission can determine that a third country, territory, sector, or international organisation provides an adequate level of protection. When an adequacy decision is in place, transfers can occur without any further safeguards, just as if the data were staying within the EU/EEA.

Countries with full adequacy decisions include: Andorra, Argentina, Canada (commercial organisations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay. The US is covered by the EU-US Data Privacy Framework (DPF) for certified organisations.

2. Standard Contractual Clauses (Art. 46(2)(c))

Standard Contractual Clauses (SCCs) are the most widely used transfer mechanism. The European Commission adopted modernised SCCs in June 2021, which replaced the previous versions. The new SCCs cover four transfer scenarios:

• Controller to controller (Module 1)
• Controller to processor (Module 2)
• Processor to processor (Module 3)
• Processor to controller (Module 4)

Important: Since the Schrems II ruling, SCCs alone may not be sufficient. You must also conduct a Transfer Impact Assessment (TIA) to evaluate whether the legal framework of the recipient country provides an essentially equivalent level of protection.

3. Binding Corporate Rules (Art. 47)

Binding Corporate Rules (BCRs) are internal rules adopted by a multinational group of companies for intra-group transfers to entities in third countries. BCRs must be approved by the competent supervisory authority and provide enforceable rights for data subjects.

BCRs are powerful but expensive and time-consuming to implement (typically 12-24 months for approval). They are most suitable for large multinational corporations with significant intra-group data flows.

4. Derogations for Specific Situations (Art. 49)

When no adequacy decision, SCCs, or BCRs are in place, Art. 49 provides derogations for specific situations:

• Explicit consent of the data subject (with information about risks)
• Transfer necessary for the performance of a contract
• Transfer necessary for important reasons of public interest
• Transfer necessary for the establishment, exercise, or defence of legal claims
• Transfer necessary to protect vital interests
• Transfer from a public register

These derogations are interpreted strictly and cannot serve as the basis for regular, large-scale transfers. They are intended for occasional transfers only.

Schrems II and Its Consequences

The CJEU's Schrems II decision (C-311/18, July 2020) invalidated the EU-US Privacy Shield and clarified that SCCs are not a rubber stamp. Controllers must verify on a case-by-case basis whether the legal framework of the recipient country provides adequate protection. If it does not, supplementary measures must be implemented.

The European Data Protection Board (EDPB) published guidance on supplementary measures, which include:

• Technical measures: Encryption with keys held solely in the EU, pseudonymisation, split processing
• Contractual measures: Enhanced transparency commitments, notification of government access requests
• Organisational measures: Internal policies on handling government access requests, data minimisation for transfers

The EU-US Data Privacy Framework

In July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). US companies that self-certify under the DPF can receive personal data from the EU without additional safeguards. The DPF includes new safeguards regarding US government access to data, including a Data Protection Review Court.

Important considerations: The DPF only covers US companies that have self-certified. Always verify certification on the DPF list before relying on it. The adequacy decision could potentially face legal challenges (a "Schrems III" scenario), so maintaining fallback mechanisms (SCCs) is prudent.

Transfer Impact Assessment (TIA)

When relying on SCCs, you must conduct a TIA before the transfer. The assessment should evaluate:

• The legal framework of the recipient country (surveillance laws, government access powers)
• The specific circumstances of the transfer (type of data, sector, volume)
• Whether supplementary measures are needed
• Whether those measures effectively prevent government access to data in clear text

Document the TIA thoroughly. Supervisory authorities expect organisations to demonstrate that they have conducted this assessment. The TIA should be reviewed periodically and whenever the legal situation in the recipient country changes.

International data transfers must be documented in your records of processing activities and addressed in your data processing agreements.