RGPD
In a world where data sharing has become a daily necessity for businesses, the legal framework surrounding international transfers of personal data has never been more complex.
Reading time:
6 min
In a world where data sharing has become a daily necessity for businesses, the legal framework surrounding international transfers of personal data has never been more complex.
Since the "Schrems II" ruling of the Court of Justice of the European Union in July 2020, European organisations face heightened requirements for any transfer of personal data outside the European Economic Area (EEA).
This article sets out the major implications of this decision and the solutions available to keep your data flows compliant.
If you would like to engage a GDPR lawyer, contact me!
The Schrems II decision fundamentally called into question businesses' practices by invalidating the Privacy Shield, the mechanism that until then facilitated data transfers to the United States. This invalidation rests on an unequivocal finding: once transferred across the Atlantic, the data of European citizens does not benefit from a level of protection equivalent to that guaranteed by the GDPR, particularly in the face of US government surveillance programmes.
This landmark decision is not limited to exchanges with the United States. It now requires a rigorous assessment of the level of data protection in any third country before transferring personal information there. For European businesses, this is a genuine paradigm shift that calls for a complete overhaul of their data management strategy.
Despite this constraining context, several legal solutions make it possible to maintain the data flows necessary to your business. The main mechanism remains the use of the Standard Contractual Clauses (SCCs) published by the European Commission. These clauses, updated in June 2021 to take account of the post-Schrems II requirements, constitute a standardised contract between the data exporter and the data importer.
Binding Corporate Rules (BCRs) represent a robust alternative for multinational groups. These internal rules, approved by the data protection authorities, govern all transfers within a single group of companies, thereby offering a global and harmonised solution.
In certain specific cases, transfers may also rely on the derogations provided for in Article 49 of the GDPR, such as the explicit consent of the data subject or the necessity of performing a contract. However, the interpretation of these derogations remains strict and their use must remain exceptional.
Let's discuss your needs for 15 minutes!
Using the legal mechanisms mentioned above is no longer sufficient. One of the main post-Schrems II innovations lies in the obligation to implement supplementary measures where the legal framework of the recipient country does not guarantee adequate protection.
These supplementary measures may be technical in nature, such as end-to-end encryption of data with the keys retained within the EEA, advanced pseudonymisation of information, or decentralised storage solutions. They may also be contractual, with the addition of clauses strengthening the importer's obligations, particularly as regards transparency on government access requests.
Putting these measures in place requires an in-depth analysis of the risks specific to each data flow and each recipient country. The legal complexity of international transfers now calls for the expertise of a GDPR lawyer to secure your data exchanges and avoid significant penalties. Legal support not only helps to identify the risks specific to your situation, but also to determine the most appropriate supplementary measures.
The compliance of international transfers is not a one-off process but an ongoing obligation. Every organisation exporting data must now document a Transfer Impact Assessment (TIA) for each data flow leaving the EEA.
This assessment must in particular analyse:
Documenting this analysis is of crucial importance in the event of an inspection by the data protection authorities, as it demonstrates your proactive compliance approach. The ability to produce rigorous and regularly updated assessments is a decisive factor in the event of an investigation.
The framework governing international transfers continues to evolve rapidly. New solutions are emerging, such as the Privacy Shield 2.0 (now named the EU-US Data Privacy Framework), which seeks to provide strengthened safeguards for transfers to the United States.
At the same time, initiatives are underway to promote interoperability between different data protection systems around the world. The OECD, in particular, is developing common principles that could facilitate international exchanges while maintaining a high level of protection.
Businesses today must adopt a strategic approach to data transfers, building compliance into the very design of their information flows. This privacy by design approach applied to international transfers not only reduces legal risks, but also strengthens the trust of partners and clients.
I want reliable legal documents!
The evolution of the legal framework for transfers reflects an underlying trend: the assertion of European digital sovereignty. This momentum is prompting many organisations to rethink their data hosting and processing strategy.
More and more businesses are now choosing to localise their data within the European Union, thereby limiting international transfers to strictly necessary situations. This approach, although sometimes more costly in the short term, offers valuable legal certainty and anticipates the likely evolution of the regulations.
This trend goes hand in hand with the development of European sovereign cloud offerings, which provide strengthened safeguards in terms of independence from extraterritorial legislation such as the US Cloud Act. The support of a lawyer specialising in software and database law is invaluable in securing these storage infrastructures.
International transfers are undoubtedly one of the most complex aspects of the GDPR, requiring constant legal monitoring and regular adaptation of practices. In this shifting context, having expert legal support becomes a genuine competitive advantage.
Faced with this growing complexity, organisations must act without delay to bring their international transfers into compliance. The European data protection authorities have made transfers a priority of their enforcement actions, as evidenced by the recent penalties imposed on several major companies.
These penalties, which can reach 4% of annual worldwide turnover, are often accompanied by orders to cease certain transfers, with potentially devastating impacts on day-to-day operations. Beyond financial penalties, it is therefore the very continuity of operations that may be threatened by non-compliance in this area.
Managing international transfers now requires sharp legal expertise and a fine understanding of the technical issues at stake. To navigate this complex environment, organisations benefit from surrounding themselves with specialists capable of devising tailored and sustainable solutions. A lawyer specialising in CNIL matters and an internet law expert can support you in this process.
Data protection has become a strategic issue that goes well beyond mere regulatory compliance. Businesses that manage to turn this constraint into an opportunity, making data protection a genuine differentiating argument, will enjoy a significant competitive advantage in a world where digital trust is becoming a cardinal value.
To learn more
The Schrems II ruling of the Court of Justice of the European Union, handed down in July 2020, strengthened the requirements for any transfer of personal data outside the European Economic Area. In particular, it invalidated the Privacy Shield, which facilitated transfers to the United States.
The Schrems II ruling invalidated the Privacy Shield on the grounds that the data of European citizens did not benefit, once transferred to the United States, from a level of protection equivalent to that guaranteed within the European Union. This invalidation upended businesses' practices.
Any transfer of personal data outside the European Economic Area is concerned. Since Schrems II, these transfers require strengthened safeguards to ensure a level of protection equivalent to that of the GDPR, failing which they are non-compliant.
Businesses can use tools such as standard contractual clauses, supplemented by additional measures, or other safeguards provided for by the GDPR. A case-by-case analysis is necessary to ensure the effective level of protection in the destination country.
Standard contractual clauses are approved templates used to govern data transfers outside the EEA. Since Schrems II, they must often be supplemented by additional measures to guarantee effective protection of the transferred data.
Yes. Schrems II requires assessing the level of protection offered by the destination country and putting in place additional measures where necessary. This transfer impact assessment has become a key step in compliance with international transfers.
A transfer of data outside the EEA without appropriate safeguards exposes the company to penalties from the CNIL and to the suspension of the flows concerned. Complying with the post-Schrems II requirements is therefore essential to securing international data transfers.
A GDPR lawyer helps to map transfers, put in place standard contractual clauses and additional measures, and assess the destination country. This support secures data flows in compliance with the post-Schrems II requirements.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin