Data transfers between the EU and third states after the EU-U.S. Privacy Shield

As the CJEU has declared the EU-U.S. Privacy Shield invalid in its decision on Schrems II, data controllers now have to resort to different data protection safeguards when transferring data to the U.S. While Standard Contractual Clauses (SCCs) remain valid, the CJEU enforces some additional requirements if controllers wish to rely on them as a data protection safeguard. The statement by the EDPB (European Data Protection Board) helps controllers answer questions about continued U.S. or third country data transfers. We summarise the most important points and outline relevant guidance for future data transfers for companies and organisations that previously relied on the EU-U.S. Privacy Shield.

The EDPB statement

First and foremost, the CJEU invalidated the EU-U.S. Privacy Shield without maintaining its effects, as the U.S. law assessed by the Court does not provide a substantially equivalent level of protection to the EU. This means that there is no transitional period applicable to companies or organisations that base their data transfers to the U.S. on the Privacy Shield and therefore these transfers must be prohibited immediately.

In other words, your business must now adhere to alternative safeguards for transfers to the U.S., such as SCCs and BCRs (Binding Corporate Rules), if you want to continue a dataflow that was previously based on Privacy Shield.

Alternative transfer tools: SCCs and BCRs

Companies that transfer data to a U.S. data importer adherent to the Privacy Shield could consider SCCs as a relevant alternative legal basis to continue data exports to the U.S., subject to some conditions. Data exporters have to take supplementary measures along with SCCs to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.

In the case of BCRs, U.S. law also has primacy over this tool. Therefore, for both SCCs and BCRs, the data exporter has to assess case-by-case whether or not the transfer meets appropriate safeguards while taking into account the circumstances and possible supplementary measures. If this is not possible, the controller must stop any data transfers.

The EDPB emphasises that controllers must ensure that the data importer can guarantee a substantially equivalent standard in the case of data transfers outside the EU/EEA, according to Art. 46 GDPR. These necessary safeguards apply to SCCs and BCRs for transfers to the U.S. as well as to any other third country. Although the EDPB has not yet published clear guidance on how to assess whether or not appropriate safeguards are guaranteed, it announced it is planning on doing so.

Derogations of Art. 49 GDPR

The EDPB clarifies that it generally remains possible to transfer data from the EU/EEA to the U.S. based on derogations foreseen in Art. 49 GDPR if the respective conditions are fulfilled:

  • Transfers based on the consent of the data subject are possible if the consent obtained is explicit, specific for the particular data transfer and informed, particularly to the potential risks of the transfer.
  • Transfers for the performance of a contract between the data subject and the controller are possible if the transfer is merely occasional and objectively necessary for the performance of the contract.
  • Transfers that are necessary for important reasons of public interest are allowed, only if an essential public interest can be established (not the nature of the organisation) and if such transfers do not take place on a large scale and in a systematic manner.

Data processing agreements

The EDPB pointed out that the controlling companies or organisations using processors must clarify if these processors transfer data to the U.S. or another third country. This information should be provided in the contract concluded with the processor under Art. 28 (3) GDPR (e.g. data processing agreement) and should contain authorisations for possible third country transfers. The EDPB advises companies and organisations to review the contracts and be particularly careful about possible sub-processors that processors use, as data is often stored or maintained in third countries especially in the case of computing solutions.

Controllers must act if a processing agreement indicates data transfers to the U.S. and neither providing supplementary measures to ensure a substantially equivalent level of protection nor any derogations under Art. 49 GDPR apply. In such cases, the only solution to continue using such services is to negotiate an amendment or supplementary clause to the contract and forbid transfers to the U.S. If data transfers to another third country are at stake, the controller must verify whether or not the legislation of that country makes compliance with an equivalent level of protection possible. Otherwise, data transfers must be suspended, and the controller must arrange for all processing activities to take place in the EU/EEA.

Recommendations for businesses

If you are a data controller and wish to continue to transfer personal data to the U.S. or another third country, there are several steps to follow. You can consult your organisation’s Data Protection Officer (DPO) for further support in implementing the necessary changes:

  1. Review your company’s international data transfers, which should be listed in the records of processing activities (ROPAs) under 30(1) GDPR, to identify transfers to the U.S. or third countries and the respective data importers.
  2. For all international data transfers that were previously based on the EU-U.S. Privacy Shield, ensure an alternative safeguard. The use of possible alternatives, such as SCCs, requires a previous assessment of the third country’s legislation. Additionally, a risk analysis focussing on the kind of data transferred, the scope of data transfers as well as technical and organisational measures in place can be helpful to determine the level of protection afforded.
  3. If relevant, update your company’s privacy policy on the website as well as other information letters to ensure compliance with the information duties under Articles 13 and 14 GDPR.

The EDPB already announced it would publish further clarifications concerning data transfers to the U.S. and other third countries. Therefore, it is crucial to stay up-to-date about new developments, for instance by following our newsletter.

Focus on your business in the EU and worldwide. We take care of your group's GDPR compliance!


  1. Mara Profile Picture

    Hello Theresa.
    Congratulations for the article titled: “Data transfers between the EU and third states after the EU-U.S. Privacy ShieldCongratulations for you article about SCC”.

    I have a question but I’m not sure if you would be able to help me. I work in a company which is a Controller and I was researching on Liabilites and right to claim back the damages from the Processor/Exporter.
    I’m trying to understand which law prevails in case of a data processing agreement according to SCC.


    According to Article. 6(1) of SCC: The Parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in clause 3 or in clause 11, by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

    However, in GDPR clause 82:

    “A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

    In case of dispute , would be possible to claim back the damages from the processor under a civil court according to GDPR? or Shall the Pacta-Surta servanda prevail, meaning, clause 6 of CGG?

    Thank you for your time and I hope you can help me, as I believe is a very important and interesting topic.

    Kind Regards


    1. Evelyne Sørensen Profile Picture
      Evelyne Sørensen

      Dear Mara,

      Thank you for your comment.

      Under the GDPR, whenever a controller commissions a processor a written contract must be in place (also in addition to the SCC). This is important so the parties understand their responsibilities and liabilities. The mandatory requirements of the data processing agreements are set out in Article 28 of the GDPR. Any contracts in place on 25 May 2018 must meet the new GDPR requirements.

      With regard to the allocation of liability, Article 82(2) of the GDPR is clear:

      “Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

      It is only towards the data subjects and the supervisory authorities that the parties cannot go against the provisions of Article 82(2). Between them, the parties remain free to allocate the risk as they see fit. Consequently, there is no reason to renegotiate the liability cap already agreed upon.

      Best regards,
      Evelyne Sørensen

Leave a Reply

Your email address will not be published. * Required fields.

Netiquette: We do not tolerate grossly unobjective contributions or advertising on our own behalf and will not publish corresponding entries but delete them. I have been informed about the processing of my data according to the privacy policy of