Transferring personal data across borders is essential in today’s globalized business environment. However, when data moves beyond the European Economic Area (EEA), it introduces specific legal obligations under the GDPR. Non-compliance can lead to significant fines—as seen in cases like Schrems II. This article explores what constitutes a cross-border data transfer, the legal framework governing these transfers, notable cases, and provides practical tips to ensure compliance.
1. Understanding Cross-Border Data Transfers
A cross-border data transfer occurs when personal data is transmitted from an entity within the EEA to a recipient outside the EEA. This can happen in various ways, such as providing personal data to third parties located in non-EEA countries, allowing remote access to data stored within the EEA by entities outside it, using cloud services with servers outside the EEA, or sharing data within a multinational company from its EEA branches to those outside. It’s important to recognize that even storing data on servers located outside the EEA can constitute a cross-border transfer, regardless of where the data is accessed from.
Organizations – including those outside the EU that process EU residents’ data (see GDPR territorial scope) – must be vigilant in identifying such transfers to ensure they comply with GDPR requirements. Failure to do so can result in significant legal and financial repercussions. The complexity of modern data flows means that businesses must have a clear understanding of where their data resides and who has access to it.
2. Legal Framework Under the GDPR
The GDPR sets out strict rules for transferring personal data to third countries or international organizations to protect the fundamental rights and freedoms of individuals. The key provisions are found in Articles 44 to 50.
Under Article 45, personal data can be transferred to a third country if the European Commission has decided that the country ensures an adequate level of protection. Countries with adequacy decisions include Andorra, Argentina, Canada (commercial organizations), Japan, New Zealand, Switzerland, and Uruguay. This means that data transfers to these countries are treated similarly to intra-EEA transfers, simplifying compliance for organizations.
In the absence of an adequacy decision, Article 46 allows transfers if the controller or processor has provided appropriate safeguards. These include Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and approved codes of conduct or certification mechanisms. These safeguards aim to ensure that the transferred data enjoys the same level of protection as within the EEA. Organizations must carefully implement these safeguards and often need to assess the legal environment of the recipient country to ensure that the safeguards are effective.
As a last resort, Article 49 provides for specific derogations where data transfers can occur without adequacy decisions or appropriate safeguards. These include explicit consent from the data subject, transfers necessary for the performance of a contract, or transfers necessary for important reasons of public interest. Reliance on these derogations should be limited and carefully considered, as they are exceptions rather than the rule, and overuse may attract regulatory scrutiny.
3. Notable Cases and Their Implications
Understanding past cases helps organizations grasp the importance of compliance and the potential consequences of non-compliance.
3.1 The Schrems II Decision
In July 2020, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in the Schrems II case (Case C-311/18). The court invalidated the EU-U.S. Privacy Shield framework, stating that U.S. surveillance laws did not provide adequate protection for personal data of EU citizens. In July 2023, the European Commission adopted the EU-U.S. Data Privacy Framework (DPF) as a successor adequacy mechanism, but its long-term stability remains uncertain: in 2025, the General Court dismissed a legal challenge to the DPF, though an appeal to the CJEU is expected and privacy advocate Max Schrems has indicated he is preparing separate litigation that could result in a “Schrems III” challenge (Inside Privacy, 2026).
Implications of Schrems II:
Organizations can no longer rely on the Privacy Shield for data transfers to the U.S. They must assess whether the law in the recipient country ensures adequate protection and may need to implement supplementary measures. This includes conducting Transfer Impact Assessments to evaluate the legal environment of the third country before transferring data. The case underscores the need for organizations to thoroughly assess their data transfer mechanisms and ensure compliance with GDPR requirements. Failure to do so can result in the suspension of data transfers and significant operational challenges.
3.2 CNIL’s Sanction Against Google
In January 2019, the French Data Protection Authority (CNIL) fined Google LLC €50 million for lack of transparency, inadequate information, and lack of valid consent regarding personalized advertising.
Key Takeaways from the CNIL Decision:
Organizations must provide clear and accessible information notices about data processing activities. Consent must be specific, informed, and unambiguous. Pre-ticked boxes or vague statements are insufficient. This case highlights the significant financial and reputational risks associated with non-compliance and emphasizes the importance of transparency and valid consent under the GDPR. It serves as a reminder that large organizations are not exempt from regulatory action.
4. Practical Tips for GDPR Compliance
Organizations can take several steps to ensure compliance with GDPR when transferring data across borders.
Firstly, assess the legal basis for transfer. Verify if the destination country has an adequacy decision from the European Commission. If not, implement appropriate safeguards such as SCCs or BCRs to provide legal protection for the data transfer. It’s crucial to ensure that these safeguards are properly incorporated into contracts and that all parties understand their obligations. Limit the use of derogations and rely on them only when absolutely necessary, ensuring they are applied correctly and documented thoroughly.
Secondly, conduct Transfer Impact Assessments (TIAs). Evaluate the legal and regulatory environment of the recipient country to identify potential risks to data protection. This includes analyzing local laws that may affect the protection of personal data, such as surveillance laws or laws requiring disclosure of data to authorities. Document these assessments to demonstrate due diligence and accountability. TIAs should be revisited periodically or when there are significant changes in the legal environment.
Thirdly, enhance technical and organizational measures. Protect data during transit and storage using strong encryption protocols. Implement robust data minimization practices by transferring only the data necessary for the intended purpose. Restrict access to personal data to authorized personnel through stringent access controls and regularly review access rights. Employ measures such as pseudonymization or anonymization where appropriate to reduce the risk associated with data transfers.
Additionally, update contracts and policies. Use the latest version of SCCs approved by the European Commission in contracts with processors and controllers outside the EEA. Clearly define data protection obligations with third parties and processors under Article 28 GDPR, including responsibilities for data security, breach notification, and cooperation with supervisory authorities. Educate staff about GDPR requirements and best practices for data transfers through regular training sessions. Ensure that employees understand the importance of compliance and their role in protecting personal data.
Finally, stay informed and seek legal advice. Monitor updates from data protection authorities, such as the European Data Protection Board (EDPB), and adjust practices accordingly. Changes in regulations or new legal precedents can significantly impact compliance obligations. Consult legal experts when dealing with complex transfer scenarios or uncertainties to ensure compliance. Legal counsel can provide valuable insights into navigating the complexities of international data transfers under the GDPR.
5. Operational deep-dives
For implementation specifics, three companion guides:
- Standard Contractual Clauses (SCCs): GDPR Guide for 2026 — module selection, mandatory annexes, common errors, and DPF interactions.
- Transfer Impact Assessment (TIA): Step-by-Step GDPR Guide — six-step EDPB methodology, country risk profiles, supplementary measures.
- BCR vs SCC vs DPF: Choosing the Right GDPR Transfer Mechanism — decision criteria, costs, timelines, and when each applies.
For Switzerland-specific data flows, see data transfers to Switzerland under nLPD (FR).
6. Conclusion
Cross-border data transfers are integral to the operations of many organizations in today’s interconnected world. However, they come with significant responsibilities under the GDPR. Non-compliance can result in substantial fines and damage to an organization’s reputation. By understanding the legal framework, learning from past cases, and implementing practical compliance measures, organizations can effectively navigate the complexities of cross-border data transfers. Proactive compliance not only mitigates legal risks but also builds trust with customers and partners by demonstrating a commitment to protecting personal data. Organizations should also ensure that their data processors outside the EEA are bound by appropriate contractual safeguards, and may benefit from reviewing our GDPR compliance checklist for a comprehensive overview of all obligations.
FAQ
What is a cross-border data transfer under GDPR?
A cross-border data transfer occurs when personal data is sent from the EU/EEA to a country outside it — including cloud services, email providers, or analytics tools hosted in non-EEA countries (e.g. the United States).
What legal mechanisms allow cross-border data transfers under GDPR?
Chapter V of GDPR provides three main mechanisms: adequacy decisions (for countries like the UK, Japan, Canada), Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs) for intra-group transfers. Derogations under Article 49 apply in specific cases.
Are transfers to the United States legal after Schrems II?
Yes, under the EU-US Data Privacy Framework (DPF), adopted in July 2023. US companies certified under the DPF can receive EU personal data without additional safeguards. SCCs remain valid but require a Transfer Impact Assessment (TIA).
What happens if you transfer data without an appropriate safeguard?
Unauthorised transfers can result in fines up to €20 million or 4% of annual global turnover. The CNIL fined Google Analytics users €100,000–€200,000 per case in 2022 for unlawful US transfers.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
