RGPD

GDPR and international data transfers: the new post-Schrems II requirements

In a world where data sharing has become a daily necessity for businesses, the legal framework surrounding international transfers of personal data has never been more complex.

Contents
Schedule a discussion

Reading time:

6 min

In a world where data sharing has become a daily necessity for businesses, the legal framework surrounding international transfers of personal data has never been more complex.

Since the "Schrems II" ruling of the Court of Justice of the European Union in July 2020, European organisations face heightened requirements for any transfer of personal data outside the European Economic Area (EEA).

This article sets out the major implications of this decision and the solutions available to keep your data flows compliant.

If you would like to engage a GDPR lawyer, contact me!

The major impact of the Schrems II ruling

The Schrems II decision fundamentally called into question businesses' practices by invalidating the Privacy Shield, the mechanism that until then facilitated data transfers to the United States. This invalidation rests on an unequivocal finding: once transferred across the Atlantic, the data of European citizens does not benefit from a level of protection equivalent to that guaranteed by the GDPR, particularly in the face of US government surveillance programmes.

This landmark decision is not limited to exchanges with the United States. It now requires a rigorous assessment of the level of data protection in any third country before transferring personal information there. For European businesses, this is a genuine paradigm shift that calls for a complete overhaul of their data management strategy.

Authorised transfer mechanisms post-Schrems II

Despite this constraining context, several legal solutions make it possible to maintain the data flows necessary to your business. The main mechanism remains the use of the Standard Contractual Clauses (SCCs) published by the European Commission. These clauses, updated in June 2021 to take account of the post-Schrems II requirements, constitute a standardised contract between the data exporter and the data importer.

Binding Corporate Rules (BCRs) represent a robust alternative for multinational groups. These internal rules, approved by the data protection authorities, govern all transfers within a single group of companies, thereby offering a global and harmonised solution.

In certain specific cases, transfers may also rely on the derogations provided for in Article 49 of the GDPR, such as the explicit consent of the data subject or the necessity of performing a contract. However, the interpretation of these derogations remains strict and their use must remain exceptional.

Let's discuss your needs for 15 minutes!

The essential supplementary measures

Using the legal mechanisms mentioned above is no longer sufficient. One of the main post-Schrems II innovations lies in the obligation to implement supplementary measures where the legal framework of the recipient country does not guarantee adequate protection.

These supplementary measures may be technical in nature, such as end-to-end encryption of data with the keys retained within the EEA, advanced pseudonymisation of information, or decentralised storage solutions. They may also be contractual, with the addition of clauses strengthening the importer's obligations, particularly as regards transparency on government access requests.

Putting these measures in place requires an in-depth analysis of the risks specific to each data flow and each recipient country. The legal complexity of international transfers now calls for the expertise of a GDPR lawyer to secure your data exchanges and avoid significant penalties. Legal support not only helps to identify the risks specific to your situation, but also to determine the most appropriate supplementary measures.

Assessing transfers: an ongoing obligation

The compliance of international transfers is not a one-off process but an ongoing obligation. Every organisation exporting data must now document a Transfer Impact Assessment (TIA) for each data flow leaving the EEA.

This assessment must in particular analyse:

  • The context of the transfer (nature of the data, purposes, etc.)
  • The laws and practices of the recipient country, particularly as regards government access
  • The effectiveness of the protection measures implemented

Documenting this analysis is of crucial importance in the event of an inspection by the data protection authorities, as it demonstrates your proactive compliance approach. The ability to produce rigorous and regularly updated assessments is a decisive factor in the event of an investigation.

Preparing the future of international transfers

The framework governing international transfers continues to evolve rapidly. New solutions are emerging, such as the Privacy Shield 2.0 (now named the EU-US Data Privacy Framework), which seeks to provide strengthened safeguards for transfers to the United States.

At the same time, initiatives are underway to promote interoperability between different data protection systems around the world. The OECD, in particular, is developing common principles that could facilitate international exchanges while maintaining a high level of protection.

Businesses today must adopt a strategic approach to data transfers, building compliance into the very design of their information flows. This privacy by design approach applied to international transfers not only reduces legal risks, but also strengthens the trust of partners and clients.

I want reliable legal documents!

Towards European digital sovereignty

The evolution of the legal framework for transfers reflects an underlying trend: the assertion of European digital sovereignty. This momentum is prompting many organisations to rethink their data hosting and processing strategy.

More and more businesses are now choosing to localise their data within the European Union, thereby limiting international transfers to strictly necessary situations. This approach, although sometimes more costly in the short term, offers valuable legal certainty and anticipates the likely evolution of the regulations.

This trend goes hand in hand with the development of European sovereign cloud offerings, which provide strengthened safeguards in terms of independence from extraterritorial legislation such as the US Cloud Act. The support of a lawyer specialising in software and database law is invaluable in securing these storage infrastructures.

International transfers are undoubtedly one of the most complex aspects of the GDPR, requiring constant legal monitoring and regular adaptation of practices. In this shifting context, having expert legal support becomes a genuine competitive advantage.

Act now to avoid tomorrow's penalties

Faced with this growing complexity, organisations must act without delay to bring their international transfers into compliance. The European data protection authorities have made transfers a priority of their enforcement actions, as evidenced by the recent penalties imposed on several major companies.

These penalties, which can reach 4% of annual worldwide turnover, are often accompanied by orders to cease certain transfers, with potentially devastating impacts on day-to-day operations. Beyond financial penalties, it is therefore the very continuity of operations that may be threatened by non-compliance in this area.

Managing international transfers now requires sharp legal expertise and a fine understanding of the technical issues at stake. To navigate this complex environment, organisations benefit from surrounding themselves with specialists capable of devising tailored and sustainable solutions. A lawyer specialising in CNIL matters and an internet law expert can support you in this process.

Data protection has become a strategic issue that goes well beyond mere regulatory compliance. Businesses that manage to turn this constraint into an opportunity, making data protection a genuine differentiating argument, will enjoy a significant competitive advantage in a world where digital trust is becoming a cardinal value.

To learn more

What did the Schrems II ruling change for data transfers?

The Schrems II ruling of the Court of Justice of the European Union, handed down in July 2020, strengthened the requirements for any transfer of personal data outside the European Economic Area. In particular, it invalidated the Privacy Shield, which facilitated transfers to the United States.

Why was the Privacy Shield invalidated?

The Schrems II ruling invalidated the Privacy Shield on the grounds that the data of European citizens did not benefit, once transferred to the United States, from a level of protection equivalent to that guaranteed within the European Union. This invalidation upended businesses' practices.

When is a data transfer subject to these requirements?

Any transfer of personal data outside the European Economic Area is concerned. Since Schrems II, these transfers require strengthened safeguards to ensure a level of protection equivalent to that of the GDPR, failing which they are non-compliant.

What solutions are there for transferring data outside the EEA?

Businesses can use tools such as standard contractual clauses, supplemented by additional measures, or other safeguards provided for by the GDPR. A case-by-case analysis is necessary to ensure the effective level of protection in the destination country.

What are standard contractual clauses?

Standard contractual clauses are approved templates used to govern data transfers outside the EEA. Since Schrems II, they must often be supplemented by additional measures to guarantee effective protection of the transferred data.

Is it necessary to assess the destination country of the data?

Yes. Schrems II requires assessing the level of protection offered by the destination country and putting in place additional measures where necessary. This transfer impact assessment has become a key step in compliance with international transfers.

What are the risks in the event of a non-compliant transfer?

A transfer of data outside the EEA without appropriate safeguards exposes the company to penalties from the CNIL and to the suspension of the flows concerned. Complying with the post-Schrems II requirements is therefore essential to securing international data transfers.

Is a lawyer useful for international data transfers?

A GDPR lawyer helps to map transfers, put in place standard contractual clauses and additional measures, and assess the destination country. This support secures data flows in compliance with the post-Schrems II requirements.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

4 min

The 5 Major Legal Risks for SaaS Companies in 2025
In a constantly evolving digital world, the SaaS (Software as a Service) model has established itself as an essential benchmark for software development and distribution. While this model offers flexibility and efficiency, it also exposes companies to specific legal risks s

8 min

European Accessibility Act (EAA): bringing your e-commerce site into compliance
Digital accessibility is no longer merely a matter of goodwill or ethics for online businesses. With the adoption of the European Accessibility Act (EAA), it has become an unavoidable legal obligation for all e-commerce players operating in Europe. This directive revolutionises

6 min

Digital Services Act: the regulator of the digital world for a safer Europe.
Welcome to the era of the Digital Services Act, the new regulation reshaping the digital landscape in Europe. This article details the key issues raised by this major piece of legislation, from the obligations of online platforms to consumer protection. Discover how Europe is equipping itself

7 min

Adoption of the bill on consent-based telephone canvassing: what protections for consumers?
Telephone canvassing is a major concern for many consumers, who are often confronted with intrusive and sometimes misleading practices.

15 min

Cloud outsourcing and GDPR: the 7 key points to watch for flawless compliance
The massive adoption of cloud solutions is profoundly transforming the IT landscape of companies. This outsourcing offers flexibility, scalability and often cost reduction, but raises major challenges in terms of data protection.

8 min

Domain Name Registration: 7 Fatal Mistakes to Avoid
In today's digital world, a domain name represents far more than a mere web address. As a genuine intangible asset of the business, it embodies the company's online identity, shapes its digital visibility and is often the first point of contact with prospective clients.
Prendre rendez-vous
Book an appointment