Cross-Border Data Transfer

Cross-border data transfers occur when personal data is transferred from one jurisdiction to another. Under GDPR, transfers of personal data outside the EEA are restricted and require one of several safeguards: an adequacy decision (the destination country has adequate data protection), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), explicit consent, or specific derogations. The Schrems II decision (2020) invalidated the EU-US Privacy Shield and imposed additional requirements for transfers to countries without adequate protection, including Transfer Impact Assessments. The EU-US Data Privacy Framework was adopted in 2023 as a replacement mechanism for EU-US transfers.