Lesson 17 of 25
International Data Transfers: Adequacy, SCCs, BCRs & Schrems
5 min read · CIPP/E
Conquer the exam's hardest topic: the Chapter V transfer hierarchy, the Schrems I and II rulings, transfer impact assessments, and the EU-US Data Privacy Framework. Know which mechanism applies when.
Why transfers are restricted
- Chapter V — transfers to non-EU 'third countries'
- Goal: protection travels with the data
- Article 44 — no transfer that undermines GDPR protection
- One of the exam's hardest, most-tested topics
International data transfers are among the hardest topics on the exam, and Domain three gives them real weight. The logic is in Article 44, the general principle: when you send personal data to a country outside the EU or the European Economic Area, a so-called third country, the level of protection guaranteed by the GDPR must not be undermined. In other words, the protection has to travel with the data.
You cannot do indirectly, by exporting data abroad, what the GDPR forbids you to do at home. Chapter V then sets out the permitted transfer mechanisms in a rough hierarchy, and you need to know all of them and the famous court cases that shaped them.
Adequacy decisions (Article 45)
- Commission decides a country offers adequate protection
- Then data flows freely, like an intra-EU transfer
- Examples: UK, Switzerland, Japan, and others
- EU-US Data Privacy Framework (2023) for certified US firms
The cleanest mechanism is an adequacy decision under Article 45. The European Commission can decide that a third country, territory, or sector ensures an adequate level of data protection, essentially equivalent to the EU's. Once it does, data can flow to that country as freely as within the EU, with no extra safeguards needed.
The Commission has recognised a number of countries, including, for example, the United Kingdom, Switzerland, and Japan. For the United States, there is a partial route: the EU-US Data Privacy Framework, for which the Commission adopted an adequacy decision in July twenty twenty-three. It allows transfers to US organisations that self-certify to the framework.
Adequacy is the top of the hierarchy because it requires nothing extra from the exporter.
Appropriate safeguards: SCCs and BCRs (Articles 46-47)
- Used where there is no adequacy decision
- SCCs — standard contractual clauses approved by the Commission
- BCRs — binding corporate rules for intra-group transfers
- Modernised SCCs adopted 2021
Where there is no adequacy decision, you turn to appropriate safeguards under Article 46. The most common are Standard Contractual Clauses, SCCs, pre-approved contract templates published by the Commission, the modernised set adopted in twenty twenty-one, which the data exporter and importer sign to commit the importer to GDPR-level protections. The other major Article 46 tool, detailed in Article 47, is Binding Corporate Rules, BCRs, internal data-protection rules approved by a supervisory authority that let a multinational group transfer data among its own entities worldwide.
BCRs are powerful but slow to get approved. Article 46 also recognises approved codes of conduct and certification mechanisms as safeguards. These mechanisms put the protection into a contract or binding internal rules rather than relying on the destination country's laws.
Schrems I and Schrems II
- Schrems I (C-362/14, 2015) — struck down Safe Harbor
- Schrems II (C-311/18, 2020) — struck down Privacy Shield
- SCCs survived, but with a catch
- US surveillance law was the core concern
Now the cases that define this topic. Maximilian Schrems, an Austrian privacy activist, challenged transfers of his Facebook data to the US. In Schrems I, case C-362/14, decided in twenty fifteen, the Court of Justice invalidated the Safe Harbor framework, the then-current US adequacy arrangement, because US surveillance law gave authorities access to EU data without adequate protection or redress.
Safe Harbor was replaced by the Privacy Shield, but in Schrems II, case C-311/18, decided in twenty twenty, the court struck that down too, for the same fundamental reason. Importantly, Schrems II upheld Standard Contractual Clauses as valid in principle, but added a major condition that reshaped practice, which we cover next. The current EU-US Data Privacy Framework is the response to Schrems II, and it too may be challenged.
TIAs, supplementary measures, and derogations
- Schrems II: assess the destination's laws (a TIA)
- Add supplementary measures (e.g. encryption) if needed
- Article 49 derogations — exceptions for specific situations
- Derogations are narrow, occasional, last-resort
Schrems II's lasting effect is the transfer impact assessment, or TIA. Even when you use SCCs, you must assess whether the law and practice of the destination country would prevent the importer from honouring them, particularly because of government access to data. If protection falls short, you must add supplementary measures, such as strong encryption where you hold the keys, or stop the transfer.
The Body of Knowledge lists the TIA explicitly. Finally, when no adequacy decision and no Article 46 safeguard is available, Article 49 provides derogations for specific situations: the person's explicit consent to the transfer after being warned of the risks, transfers necessary to perform a contract, important reasons of public interest, or legal claims. But derogations are meant to be narrow, occasional, and non-repetitive, a last resort, not a routine basis for ongoing transfers.
The exam tests that they are exceptional.
Recap
- Hierarchy: adequacy → safeguards (SCCs/BCRs) → derogations
- Schrems I killed Safe Harbor; Schrems II killed Privacy Shield
- SCCs survived but require a TIA + supplementary measures
- EU-US Data Privacy Framework (2023) is the current US route
So here is the transfers hierarchy. First, adequacy under Article 45, where the Commission has blessed the destination country, including the EU-US Data Privacy Framework for certified US firms since twenty twenty-three. Next, appropriate safeguards under Articles 46 and 47, mainly Standard Contractual Clauses and Binding Corporate Rules.
And last, the narrow Article 49 derogations. Schrems I struck down Safe Harbor in twenty fifteen, Schrems II struck down Privacy Shield in twenty twenty, and Schrems II also requires a transfer impact assessment and supplementary measures even when you use SCCs. That completes Domain three.
Go take the Domain three practice test before we move into scope and accountability.
Sources
- Regulation (EU) 2016/679 (GDPR), Chapter V: Article 44 (general principle), Article 45 (adequacy), Article 46 (appropriate safeguards/SCCs), Article 47 (BCRs), Article 49 (derogations)
- CJEU Schrems I, C-362/14 (2015)
- Schrems II, C-311/18 (2020)
- EU-US Data Privacy Framework adequacy decision (10 July 2023)
- Commission Implementing Decision (EU) 2021/914 (modernised SCCs)
- EDPB Recommendations 01/2020 on supplementary measures
Test your knowledge
A few CIPP/E questions on this material — pick an answer to see the explanation.
Q1. A company collects job applicants' data for recruitment. Unknown to applicants, it also uses the data to score applicants on a proprietary 'cultural fit' algorithm not disclosed in the privacy notice. The company can point to a valid Article 6 lawful basis. Is the processing nonetheless problematic?
Q2. Under the GDPR's right to erasure, which of the following circumstances does NOT justify erasure?
Q3. A data subject asks to have data that a company inferred about their preferences — derived analytically from their purchase history — ported to a competitor. Does the right to portability cover this inferred data?
Q4. An automated insurance underwriting system makes decisions affecting premiums with no human involvement. A customer wants to challenge their premium under Article 22. Which exception to the Article 22 prohibition, if applicable, still requires the insurer to provide safeguards?