From Safe Harbor to Schrems III
Transferring personal data outside the EEA is one of the most challenging GDPR issues. The CJEU history: Safe Harbor invalidated (Schrems I, 2015), Privacy Shield invalidated (Schrems II, 2020), and now the EU-US Data Privacy Framework (DPF) faces a new NOYB challenge.
Standard Contractual Clauses — Are They Enough?
SCCs remain the most common transfer mechanism but require a Transfer Impact Assessment (TIA) after Schrems II. Simply signing SCCs is not enough — evaluate whether the recipient country provides adequate protection.
- Conduct a TIA for each non-adequacy country transfer
- Implement supplementary measures if TIA identifies risks
- Document the analysis for the supervisory authority
- Update TIAs after legislative changes in recipient countries
Practical Steps
- Transfer inventory — map all data flows outside EEA, including sub-processors
- Mechanism hierarchy — adequacy decisions first, SCCs as Plan B
- End-to-end encryption — key supplementary measure
- Contingency plan — prepare for possible DPF invalidation
Binding Corporate Rules (BCR)
For companies with extensive international structures, BCRs remain the most robust mechanism. Approval takes 12–18 months, but provides flexibility for intra-group transfers independent of adequacy decisions.
Need help mapping your data transfers? Schedule a consultation.