International data transfers

Personal data leaves the EU, UK, Switzerland, Canada (Quebec), Brazil, Korea, India and many other regimes only under specific safeguards. The post-Schrems II landscape (CJEU C-311/18, July 2020) means a contract is rarely enough on its own.

The four EU transfer mechanisms

1. Adequacy decisions (GDPR Art 45). The Commission has decided the country offers equivalent protection. Active for: Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, UK, Uruguay, USA (under DPF only — see below).
2. Data Privacy Framework (DPF). The current EU-US adequacy bridge, in force since July 2023 — replacing Privacy Shield (struck down 2020). Specific to certified US recipients. German LfDI BW, CNIL, and Garante all expect supplementary measures (TIA — Transfer Impact Assessment) even with DPF active.
3. Standard Contractual Clauses (SCCs). The 2021 modular SCCs cover most B2B vendor relationships. Transfer Impact Assessment + supplementary technical measures (encryption-in-transit, encryption-at-rest, no-keys-shared, sub-processor obligations) are non-negotiable.
4. Binding Corporate Rules (BCRs). Intra-group transfers within multinational corporations — long approval process, only practical for large enterprises.

Schrems II realities

If your US-based vendor is subject to FISA 702 surveillance authority, no contract or DPF certification fully cures the access risk to a US court of inquiry. The technical controls that actually move the needle:

• Strong end-to-end encryption with keys held only by the EU controller
• Pseudonymization at source — only opaque IDs leave the EU
• EU-region routing at the cloud-provider level (AWS Frankfurt, Azure West Europe) — but this alone is insufficient if the parent company is US-based

Other regional regimes

UK Extension to DPF (Oct 2023) — UK companies can transfer to DPF-certified US entities. Swiss-US DPF — same model, separate certification.

Brazil LGPD Art 33 — adequacy decisions pending; SCC-equivalent contracts allowed. India DPDPA §16 — restricted-territories list to be notified; default permitted unless restricted. Korea PIPA Art 17 — opt-in re-consent often required for cross-border; one of the strictest regimes.

Practical workflow

For every vendor you onboard: (1) document where the data physically goes, (2) identify the legal mechanism, (3) run a TIA if SCCs/DPF, (4) document supplementary technical measures, (5) re-review annually. Vendor due-diligence templates handle this systematically.