From Safe Harbor to Schrems III
The term "Schrems III" in the context of data transfers refers to the anticipated challenge to the DPF adequacy decision by NOYB, which as of the date of publication has not yet reached the CJEU.
Transferring personal data outside the EEA is one of the most challenging GDPR issues. The CJEU history: Safe Harbor invalidated (Schrems I, 2015), Privacy Shield invalidated (Schrems II, 2020), and now the EU-US Data Privacy Framework (DPF) faces a new NOYB challenge.
Standard Contractual Clauses — Are They Enough?
SCCs remain the most common transfer mechanism but require a Transfer Impact Assessment (TIA) after Schrems II. Simply signing SCCs is not enough — evaluate whether the recipient country provides adequate protection.
- Conduct a TIA for each non-adequacy country transfer
- Implement supplementary measures if TIA identifies risks
- Document the analysis for the supervisory authority
- Update TIAs after legislative changes in recipient countries
Practical Steps
- Transfer inventory — map all data flows outside EEA, including sub-processors
- Mechanism hierarchy — adequacy decisions first, SCCs as Plan B
- End-to-end encryption — key supplementary measure
- Contingency plan — prepare for possible DPF invalidation
Binding Corporate Rules (BCR)
For companies with extensive international structures, BCRs remain the most robust mechanism. Approval takes 12–18 months, but provides flexibility for intra-group transfers independent of adequacy decisions.
Need help mapping your data transfers? Schedule a consultation.