← All posts

GDPR cross-border data transfers after Schrems II — a practical guide

Rachel Okonkwo · 2025-04-29

The 2020 Schrems II ruling invalidated the EU-US Privacy Shield framework. The 2023 EU-US Data Privacy Framework replaced it. Most firms still don't have their cross-border story straight, and the next ruling is overdue.

The current state

Three legal mechanisms support EU-to-US personal data transfers today:

• EU-US Data Privacy Framework (DPF). Adopted July 2023. US companies self-certify with the Department of Commerce. Provides an adequacy basis for transfers from EU to certified US recipients.
• Standard Contractual Clauses (SCCs). 2021 modular SCCs. Useful when the recipient isn't DPF-certified or when the DPF is challenged again (and it will be).
• Adequacy decisions. Some non-EU jurisdictions (UK, Switzerland, Canada, Japan, others) have full or partial adequacy. Check the current list before assuming.

Transfer impact assessments

Schrems II didn't just invalidate Privacy Shield. It required exporters to assess whether the destination jurisdiction's surveillance laws undermine the adequacy of contractual safeguards. A Transfer Impact Assessment (TIA) is the documentation of that analysis.

You need a TIA when:

• You're transferring personal data of EU residents outside the EEA under SCCs
• You're transferring to a country without an adequacy decision
• The destination jurisdiction has known surveillance or data-access laws (FISA 702, for example)

A reasonable TIA runs 4–8 pages and takes a privacy professional a half-day to complete per destination. The European Data Protection Board has published guidance with templates.

Common firm mistakes

1. Assuming SCCs alone are enough. They're necessary, not sufficient. The TIA is the rest of the picture.
2. Skipping the TIA entirely. If a DPA asks for your TIA and you don't have one, you're explaining a gap.
3. Sub-processor blind spots. Your transfer obligations flow through to your sub-processors. If you transfer to a US-based sub-processor that then transfers further to India, you need to document both hops.
4. Reusing old templates. The 2021 SCCs replaced earlier versions. Older clauses are no longer valid bases for new transfers.

A 6-step transfer review

1. Map every cross-border data flow. Source jurisdiction, destination, data categories, volume, sub-processors.
2. For each flow, identify the lawful transfer basis (adequacy, DPF, SCCs, derogation).
3. Where SCCs apply, conduct and document a TIA.
4. Update your DPAs to reference current SCCs (Module 2 for controller-to-processor is most common).
5. Verify sub-processor transfer mechanisms align with your own.
6. Review annually and after any major regulatory shift.

Cross-border data transfer is primarily a paperwork problem. Solve the paperwork once, then maintain it. The firms that get into trouble are the ones who assumed the 2016 paperwork was still good in 2025.

Written by Rachel Okonkwo. Have feedback? Reach out at hello@verifypg.com.