Cross-Border Data Transfers: SCCs, Adequacy, and Transfer Impact Assessments
Few areas of data protection law generate as much operational friction as international data transfers. The moment a European business uses a cloud provider hosted abroad, a support team in another region, or an analytics tool routed through third-country servers, the GDPR's transfer rules engage. Chapter V of the GDPR restricts the movement of personal data outside the European Economic Area (EEA) unless the recipient country guarantees an "essentially equivalent" level of protection. Getting this analysis right has become a central task for privacy counsel.
Why Transfer Rules Exist
The premise is straightforward: personal data protected inside the EEA should not lose that protection simply because it crosses a border. A transfer, in this context, means making personal data accessible to a recipient in a third country — which includes remote access, not merely physical data movement. If personal data could be exported freely to jurisdictions with weaker safeguards or intrusive government-access regimes, the GDPR's protections would be easy to circumvent.
The regime is layered. Organisations must first identify an appropriate transfer mechanism, and, following the Court of Justice's landmark 2020 Schrems II ruling, may also need to assess and supplement that mechanism to address the legal environment of the destination country.
Adequacy Decisions
The simplest route is an adequacy decision. Under Article 45, the European Commission can determine that a third country, territory, or sector ensures an adequate level of data protection. Where such a decision exists, transfers may proceed without any additional authorisation or safeguard, much as if the data were staying within the EEA.
A number of jurisdictions benefit from adequacy findings, and the EU-US Data Privacy Framework provides an adequacy route for transfers to certified US organisations. Adequacy decisions are periodically reviewed and can be amended, suspended, or repealed if the Commission concludes the third country no longer ensures adequate protection, so reliance on adequacy is not a permanent guarantee and should be monitored.
Standard Contractual Clauses
Where no adequacy decision applies, the most widely used tool is the set of Standard Contractual Clauses (SCCs) adopted by the Commission in 2021 under Article 46. These are pre-approved contractual terms that impose data-protection obligations on the data importer and grant enforceable rights to data subjects.
The modern SCCs are built on a modular design, allowing parties to select the module that matches their relationship:
- Module 1 — controller to controller.
- Module 2 — controller to processor.
- Module 3 — processor to processor.
- Module 4 — processor to controller.
The clauses include a "docking" mechanism so additional parties can join over time, and they require the importer to notify the exporter of any government access request and to challenge unlawful demands where possible. Signing the SCCs, however, is no longer sufficient on its own.
Other Article 46 Safeguards
The SCCs are not the only appropriate safeguard. Depending on the structure of the transfer, organisations may rely on:
- Binding Corporate Rules (BCRs) — internal codes approved by a supervisory authority for transfers within a corporate group.
- Approved codes of conduct or certification mechanisms with binding commitments.
- Ad hoc contractual clauses authorised by a competent supervisory authority.
BCRs are attractive for large multinationals because they cover intra-group flows comprehensively, but the approval process is demanding and lengthy.
The Impact of Schrems II
In Schrems II, the Court of Justice invalidated the earlier EU-US Privacy Shield and held that exporters relying on SCCs cannot do so mechanically. They must verify, on a case-by-case basis, whether the law and practice of the destination country undermine the protections the SCCs promise — particularly regarding government surveillance and the availability of redress for individuals. Where the destination's legal regime falls short, the parties must adopt supplementary measures or refrain from the transfer.
This ruling gave rise to the now-standard Transfer Impact Assessment.
Conducting a Transfer Impact Assessment
A Transfer Impact Assessment (TIA) is a documented evaluation of whether a specific transfer can proceed with adequate protection. Regulatory guidance frames it as a structured, six-step exercise:
- Know your transfers — map the data flows, recipients, and onward transfers involved.
- Identify the transfer tool — confirm which Article 46 mechanism applies.
- Assess the third-country law and practice — evaluate whether local surveillance laws or government-access powers could compromise the safeguards, considering the nature of the data and the likelihood of access.
- Adopt supplementary measures — where needed, add technical, contractual, or organisational protections.
- Take procedural steps — implement the measures, which may require consulting the importer or a supervisory authority.
- Re-evaluate periodically — monitor developments in the destination country and revisit the assessment.
Technical measures carry the most weight because they can protect data even against lawful government demands. Common examples include strong end-to-end encryption where the importer has no access to the keys, robust pseudonymisation, and split or multi-party processing. Contractual and organisational measures — transparency reporting, warrant-canary style commitments, and challenge obligations — support but rarely substitute for technical safeguards.
Derogations for Specific Situations
Article 49 provides a set of derogations for occasional, non-repetitive transfers where no adequacy decision or appropriate safeguard is available. These include transfers made with the explicit, informed consent of the data subject, transfers necessary to perform a contract with or in the interest of the data subject, transfers necessary for important reasons of public interest, and transfers required to establish, exercise, or defend legal claims.
Regulators interpret these derogations narrowly. They are intended for genuinely exceptional cases and should not be used to legitimise systematic, ongoing data exports — that is what adequacy decisions and Article 46 safeguards are for.
Practical Compliance Steps
For legal and privacy teams managing transfer risk, a disciplined process is essential:
- Maintain an up-to-date inventory of all international transfers, including onward transfers by processors and sub-processors.
- Match each transfer to the correct mechanism, defaulting to adequacy where available and SCCs otherwise.
- Document a TIA for transfers to non-adequate countries, and store the reasoning for regulator review.
- Layer supplementary measures — encryption first — where destination-country law raises concerns.
- Revisit assessments when adequacy decisions change, new surveillance laws emerge, or vendor arrangements shift.
International transfer compliance is not a one-time contractual exercise but a continuing risk-management discipline. Because supervisory authorities have shown willingness to scrutinise — and in some cases halt — transfers that rest on paperwork alone, organisations that pair the right mechanism with a genuine, documented assessment are far better positioned to defend their data flows.