Schrems II, Standard Contractual Clauses, and Cross-Border Data Transfers

In Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, "Schrems II"), the Court of Justice of the European Union (CJEU) issued its judgment on July 16, 2020, invalidating the EU-US Privacy Shield framework and upholding Standard Contractual Clauses (SCCs) as a valid transfer mechanism — but adding a critical new obligation: transfer impact assessments (TIAs). The Court held that the mere existence of SCCs is insufficient where the law of the destination country does not ensure adequate protection equivalent to EU law (GDPR Article 46). For the US, the court found that Section 702 FISA surveillance programs and Executive Order 12333 precluded US law from providing adequate protection, requiring organizations to assess whether supplementary measures could bridge the gap before relying on SCCs.

The engineering response to Schrems II requires a three-step process specified by the EDPB in Recommendations 01/2020 on measures that supplement transfer tools. Step 1: map all data transfers to third countries, including "onward transfers" (EU data processed by a US cloud provider's subprocessor in a non-adequate country). Step 2: identify the transfer tool in use (SCCs, Binding Corporate Rules, adequacy decision, derogations). Step 3: assess the law and practice of the destination country for interference with the protection guaranteed by the transfer tool. If the assessment reveals that protection is not adequate, the controller must implement supplementary measures. The EDPB identified effective supplementary measures including: end-to-end encryption where the service provider has no access to decryption keys; pseudonymization before transfer; and data aggregation that prevents re-identification. Supplementary measures that the EDPB explicitly stated are NOT effective include contractual assurances from the importer, non-technical organizational measures alone, and encryption where the importer holds the keys.

The new EU SCCs (published by the European Commission in June 2021, Commission Implementing Decision (EU) 2021/914) replaced the previous 2001 and 2010 model clauses. They include four modules for different transfer scenarios: Module 1 (controller to controller), Module 2 (controller to processor), Module 3 (processor to processor), and Module 4 (processor to controller). Organizations had until December 27, 2022 to migrate existing contracts to the new SCCs. The new SCCs include mandatory TIA documentation as an exhibit and include specific technical and organizational measures annexes where supplementary measures must be described. Failure to complete TIAs or to implement effective supplementary measures is an enforcement priority: the Irish DPC issued Meta a €1.2 billion fine in May 2023 specifically for FISA Section 702 exposure in data transfers relying on SCCs without adequate supplementary measures.

We perform transfer impact assessments for all cross-border data flows, using our regulatory intelligence database to assess surveillance laws in destination countries against the EDPB's Recommendations 01/2020 criteria. We architect encryption architectures where the EU controller retains exclusive key management, implement pseudonymization pipelines for analytics workloads that require cross-border transfer, and maintain updated SCC contract suites with TIA documentation as required annexes.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.