GDPR Data Transfers in 2026: Navigating the Post-Schrems II Framework

Introduction: The Permanent Instability of Transatlantic Data Flows

The invalidation of Privacy Shield by the Court of Justice of the European Union in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (C-311/18, Schrems II, July 16, 2020) exposed a structural incompatibility between US surveillance law — primarily Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act (FISA) — and the GDPR's requirements for equivalent data protection in third countries. The EU-US Data Privacy Framework (DPF), adopted by Commission Decision C(2023) 4745 on July 10, 2023, was presented as the durable resolution. Three years later, it faces a set of legal, political, and institutional pressures that every data protection professional should treat as a live risk rather than a resolved problem.

This article analyzes the full spectrum of data transfer mechanisms available under GDPR Article 44 and the EU-US DPF adequacy decision, assesses their relative legal robustness, and provides practical frameworks for organizations that need to maintain operational continuity regardless of the DPF's fate.

The EU-US Data Privacy Framework: Legal Status in 2026

The DPF Architecture

Commission Decision C(2023) 4745 declared that the US ensures an adequate level of protection for personal data transferred to organizations certified under the DPF. The DPF's core legal infrastructure comprises:

EO 14086 (Enhancing Safeguards for United States Signals Intelligence Activities, October 7, 2022), which established proportionality requirements for signals intelligence collection and the redress mechanism
The Data Protection Review Court (DPRC), established under EO 14086 as an independent body to receive and adjudicate EU individual complaints about US intelligence access to their data
The DPF Principles (substantially similar to former Privacy Shield principles), administered by the US Department of Commerce, with FTC enforcement authority

Current Legal Challenges

As of Q1 2026, the DPF faces three significant legal threats.

Challenge One: La Quadrature du Net (CJEU Case C-078/25). Filed in January 2025 before the CJEU, this challenge argues that EO 14086 does not adequately constrain FISA Section 702 bulk collection, and that the DPRC — a non-Article III court operating under executive authority — does not meet the CJEU's requirements in Schrems II for "effective judicial protection." The CJEU issued an expedited procedure request in March 2025; the Advocate General's opinion is expected in Q3 2026, with a final judgment potentially in late 2026 or early 2027. CJEU Advocate General opinions in privacy cases have historically been adopted in the final judgment (the AG opinion in Schrems II itself presaged the invalidation).

Challenge Two: US Political Developments. The second Trump administration's posture toward FISA Section 702 reauthorization and signals intelligence reform has raised questions about the operational continuity of the DPF's US-side commitments. The DPRC has processed fewer than 50 cases in its first 18 months — substantially fewer than European data protection authorities anticipated based on the volume of EU citizen data processed by US companies — leading to academic and civil society concerns about its practical effectiveness.

Challenge Three: European Data Protection Board (EDPB) Review. Under Recital 186 of the DPF adequacy decision, the Commission committed to reviewing the decision within three years of adoption (i.e., by July 2026). The EDPB's Article 70 opinion on the first annual review (October 2024) noted continued concerns about the DPRC's transparency, Section 702's breadth, and the absence of bulk collection limitations equivalent to EU proportionality standards.

Practical conclusion: The DPF should be used as a primary transfer mechanism where available, but no organization that cannot operationally tolerate a sudden adequacy invalidation should rely on the DPF alone without an active fallback mechanism.

Standard Contractual Clauses: The Indispensable Fallback

Legal Framework

Standard Contractual Clauses (SCCs) are the workhorse of GDPR international data transfers. Commission Implementing Decision 2021/914 (June 4, 2021) replaced the legacy SCCs with a modular framework covering four transfer configurations:

Module 1: Controller-to-controller transfers
Module 2: Controller-to-processor transfers
Module 3: Processor-to-processor transfers
Module 4: Processor-to-controller transfers

The new SCCs incorporated the Schrems II requirements directly: Clause 14 requires an assessment of the third country's laws, and Clause 15 imposes notification and transparency obligations when government authority requests for data are received.

The Transfer Impact Assessment Obligation

Schrems II held that the use of SCCs does not automatically ensure adequate protection — the exporter must conduct a case-specific Transfer Impact Assessment (TIA) to verify that the SCCs can be effective in the destination country. The EDPB's Recommendations 01/2020 on transfers (adopted November 2020, updated June 2021) provide the framework:

Step 1: Map transfers — identify what personal data is transferred, to which country, for what purpose, under which transfer mechanism.

Step 2: Verify the transfer tool — confirm the applicable SCC module and that it has been correctly implemented.

Step 3: Assess the third country's legal framework — evaluate whether the destination country's laws on government access to data are compatible with the SCCs' guarantees. Key factors: whether access powers are proportionate, whether effective judicial/quasi-judicial redress exists, whether bulk collection is authorized.

Step 4: Identify and adopt supplementary measures — if the TIA reveals that the SCCs alone cannot ensure adequate protection, technical (encryption, pseudonymization), contractual (additional warranties from importers), or organizational measures must be adopted.

Step 5: Take formal procedural steps — execute the SCCs, maintain TIA documentation, notify DPAs where required.

SCCs and US Transfers in 2026

The EDPB's guidance following Schrems II noted that SCCs alone were insufficient for US transfers involving data categories likely to attract intelligence service interest (telecommunications metadata, cloud communications content). The revised SCCs' Article 15 notification requirement — requiring the US importer to notify the EU exporter of government access requests — creates a practical compliance obligation that most US cloud providers have addressed through DPA-approved notification language.

For US transfers not covered by the DPF (because the US recipient is not DPF-certified, or the data category falls outside DPF scope), Module 2 SCCs with an appropriate TIA and supplementary technical measures (encryption with EU-managed keys, pseudonymization at source) represent the most legally robust fallback.

Binding Corporate Rules: The Gold Standard and Its Costs

What BCRs Provide

Binding Corporate Rules (Articles 46(2)(b), 47 GDPR) are approved intra-group transfer mechanisms that permit personal data transfers among group entities across jurisdictions. Approved by the lead supervisory authority under the Article 60 consistency mechanism, BCRs bind all group entities as third-party beneficiaries and provide data subjects with enforceable rights against the BCR controller.

BCRs are the most robust GDPR transfer mechanism for multinational groups because:

They are not jurisdiction-specific — once approved, they cover transfers to all group entities globally (not just US)
They survive adequacy decision invalidations — BCRs represent the group's own commitment to adequate protection, not reliance on a third country's legal framework
They provide stronger third-party enforceability than SCCs

BCR Approval Timeline and Cost

BCR approval is slow and resource-intensive:

Lead DPA identification: 1–3 months to determine the competent lead supervisory authority
Application submission: 3–6 months to prepare BCR documentation (controller BCRs or processor BCRs) per the EDPB's WP256 (BCR for Controllers) and WP257 (BCR for Processors) templates
DPA review and Article 60 process: 12–24 months from submission to approval
Cost: EUR 500,000–2 million in external legal fees and internal compliance resources for large multinational groups

As of January 2026, the EDPB's BCR register lists 148 approved controller BCRs and 79 approved processor BCRs — predominantly for large technology companies, financial institutions, and industrial groups. BCRs are not practical for mid-market companies or for companies anticipating significant M&A activity (each acquisition of a non-BCR entity requires a BCR amendment procedure).

Adequacy Decisions Beyond the US: The Global Transfer Map

The European Commission has adopted adequacy decisions for 15 countries/territories under Article 45 GDPR, providing SCCs-free transfer pathways. Critically, these decisions vary in scope and legal durability:

Country/Territory	Adequacy Decision	Scope	Legal Status (March 2026)	Key Risks
UK	C(2021) 4800 (June 2021)	General (GDPR Art. 45)	Valid; under sunset review by June 2025 — extended to June 2027 pending UK adequacy reassessment	UK's post-Brexit surveillance law divergence; possible CJEU challenge
Switzerland	C(2000) 3503	General (Directive 95/46/EC framework)	Pre-GDPR; Commission initiated update assessment 2022; remains operative	Pre-GDPR vintage; legal uncertainty on GDPR-era standards
Japan	C(2019) 61	General (GDPR Art. 45)	Valid; under 4-year review	Supplementary rules required; APPI-GDPR gap analysis needed
South Korea	C(2021) 6065	General (GDPR Art. 45)	Valid	PIPA amendments may require reassessment
Canada (PIPEDA)	2002/2/EC	Commercial organizations only	Pre-GDPR; Commission review initiated 2023; CPPA reform pending	PIPEDA replacement (CPPA) may affect adequacy coverage
Israel	C(2011) 332	General	Pre-GDPR; under reassessment	Pre-GDPR vintage; Israeli surveillance law questions
New Zealand	C(2013) 2896	General	Under review following Privacy Act 2020 amendments	Generally robust
Argentina	C(2003) 1731	General	Pre-GDPR; under modernization review	Pre-GDPR vintage
US (DPF only)	C(2023) 4745	DPF-certified organizations only	See above — litigation pending	CJEU challenge; DPRC effectiveness

For organizations designing transfer architecture, the combination of Japan (adequacy) + UK (adequacy) + EU SCCs for non-adequate destinations provides the broadest coverage with the least day-to-day compliance burden.

Transfer Impact Assessments: Methodology and Documentation

The Regulatory Expectation

Supervisory authority enforcement since Schrems II has made TIA documentation a standard audit target. The Irish Data Protection Commission (DPC), in its enforcement actions against Meta (December 2022, EUR 390 million fine; and the Meta Platforms Ireland transfer decision, May 2023, EUR 1.2 billion fine — the largest GDPR fine to date) specifically examined the adequacy of Meta's TIA for US transfers. The DPC found that Meta's reliance on SCCs without adequate supplementary measures, combined with deficient TIA documentation, warranted the fine and the suspension order.

The French CNIL, German DSK, and Dutch AP have each issued TIA guidance that, while consistent with EDPB Recommendations 01/2020, emphasizes jurisdiction-specific factors: French enforcement has focused on cloud provider transfers; German enforcement on HR data processors; Dutch enforcement on health data cross-border flows.

TIA Documentation Minimum Standards

A TIA document should contain at minimum:

Transfer map extract: Data categories, data subjects, purpose, legal basis for processing, destination country, recipient identity
Transfer mechanism: Applicable SCC module, BCR, or adequacy decision (with citation to Commission Decision)
Third-country legal analysis: Assessment of surveillance law framework, proportionality, judicial oversight — referencing EDPB country-specific recommendations where available
Supplementary measures implemented: Technical (with description), contractual (with reference to SCC clauses), organizational
Conclusion: Whether the measures ensure effective protection equivalent to GDPR standards
Review date: TIAs should be reviewed annually and on any material change in the transfer mechanism or destination country's legal framework
Sign-off: DPO and Legal sign-off, with board reporting for high-risk transfers

Contingency Planning: What Happens if the DPF Falls Again

The Schrems I/II Playbook

Organizations that maintained operational continuity after both Schrems I (2015) and Schrems II (2020) share a common characteristic: they had executed SCCs with all US processors before the invalidation and maintained current TIAs. Those that relied exclusively on Privacy Shield or the EU-US Privacy Shield and had not executed fallback SCCs faced immediate operational disruption — technically unlawful transfers during the period between invalidation and SCC implementation.

The CJEU's Schrems II judgment was issued on July 16, 2020, with no transition period. Supervisory authorities announced that they would not immediately enforce given the implementation timelines required, but ongoing transfers without a valid mechanism remained technically unlawful. A repeat scenario following a DPF invalidation would likely produce the same regulatory stance — supervisory tolerance for a short transition period, followed by enforcement against organizations that were not prepared.

Contingency Framework

Immediate actions (within 90 days of a DPF invalidation judgment):

Execute Module 2 SCCs with all US processor relationships currently relying solely on DPF certification. The SCCs can be executed now as a protective layer alongside the DPF — dual-layering is legally permissible and recommended.
Refresh TIAs for US transfers to reflect the post-invalidation landscape: the DPRC mechanism would be unavailable, EO 14086 would no longer be the operative redress framework, and the supplementary measures analysis would need to assume the absence of the DPF safeguards.
Implement technical supplementary measures for high-risk transfer categories (special category data under Article 9; children's data; data subject to high DPA attention): encryption with EU-managed keys so that even if US law compels access, the data is inaccessible in intelligible form.
Assess data minimization opportunities: For transfers that are not operationally essential, discontinue or pseudonymize before transfer. The volume of transfer determines the risk profile.
Notify the board: GDPR Article 83(4) exposure (up to EUR 10 million or 2% of global turnover for procedural violations) and Article 83(5) exposure (up to EUR 20 million or 4% of global turnover for substantive violations including unlawful transfers) require board-level awareness of the contingency posture.

Medium-term restructuring (6–18 months):

Evaluate EU data residency: For data categories with the highest risk profile, assess whether EU-based cloud infrastructure (AWS EU, Azure EU, Google Cloud EU) with contractual data residency commitments eliminates the transfer entirely. A transfer does not occur if the data never leaves the EEA.
Evaluate BCR application: For groups with ongoing transatlantic data flows across multiple group entities, the BCR application timeline (18–24 months) should be initiated now, not after invalidation.

Comparative Transfer Mechanism Analysis

Mechanism	Legal basis (GDPR)	Coverage	Legal robustness	Operational burden	Best suited for
Adequacy decision (DPF)	Art. 45	DPF-certified US orgs only	Medium — CJEU challenge pending	Low (no SCCs required)	US cloud SaaS providers with DPF certification
Adequacy decision (UK, Japan, etc.)	Art. 45	General transfers to adequate countries	High (UK under review)	Very low	UK, Japan, South Korea transfers
SCCs (Module 2)	Art. 46(2)(c)	Any third country; all data categories	High when properly implemented with TIA	Medium (TIA + supplementary measures)	US processor relationships; non-DPF transfers
BCRs	Art. 46(2)(b), 47	Intra-group transfers only	Very high — DPA-approved	Very high (18–24 months, EUR 500k+)	Large multinational groups with frequent intra-group transfers
Derogations (Art. 49)	Art. 49	Case-by-case; non-repetitive	Low — restricted to exceptional circumstances	High (case-by-case justification)	One-off transfers (litigation data, urgent medical)
Art. 49 explicit consent	Art. 49(1)(a)	Any transfer with informed consent	Low — consent can be withdrawn	High (GDPR-compliant consent mechanism)	Consumer data where data subject choice is genuine

Practical Takeaways for DPO, CLO, and Privacy Counsel

Do not rely on DPF alone for operationally critical US transfers. Execute Module 2 SCCs with all US processors now, in parallel with DPF reliance. The cost of dual-layering is administrative; the cost of an unplanned transfer suspension following a CJEU invalidation is operational. The Meta EUR 1.2 billion fine for unlawful transfers is the benchmark for what regulators consider proportionate enforcement against a major processor that failed to implement adequate fallback mechanisms.
Treat your TIA as a living document, not a one-time assessment. Regulatory enforcement has consistently found that organizations conducted TIAs at contract inception but failed to update them when US surveillance law or the transfer mechanism itself changed. EDPB Recommendations 01/2020 explicitly require periodic review. Annual TIA reviews, triggered by material legal changes in the destination country or changes in the transferred data categories, are the minimum standard. Build the review cadence into your GDPR compliance calendar.
Map your US cloud and SaaS stack against DPF certification status. The DPF certification list (maintained at dataprivacyframework.gov) is the operative reference. Organizations routinely discover that key sub-processors used by primary SaaS providers are not DPF-certified. Sub-processor DPF certification status must be verified through the primary processor's sub-processor list and confirmed against the certification registry. Missing sub-processor coverage is a common audit finding.
For high-risk data categories, encryption with EU-controlled keys is the most reliable supplementary measure. Technical supplementary measures that prevent intelligible access even in the event of a FISA 702 government order — specifically end-to-end encryption where decryption keys are held in the EU and are not accessible to the US processor — have been endorsed by the EDPB and national DPAs as effective measures that can bridge the adequacy gap. This architecture is available from major cloud providers (Google CMEK, AWS KMS with EU key management, Azure Customer-Managed Keys) and should be evaluated against the operational overhead for high-sensitivity data categories.
Begin BCR preparation now if your group has more than three non-EEA group entities. BCR approval takes 18–24 months from submission. An organization that begins BCR preparation today will have an approved mechanism in place before the expected CJEU judgment on La Quadrature du Net (late 2026 / early 2027). An organization that waits for an invalidation will face a 2-year gap between the judgment and BCR approval — a period during which all intra-group transfers would rely on SCCs and TIAs at heightened scrutiny levels.

Supervisory Authority Enforcement: The Regulatory Risk Landscape

Landmark Enforcement Decisions on Data Transfers

The enforcement landscape for international data transfers has been shaped by a series of decisions that establish both the regulatory appetite for enforcement and the practical penalty exposure.

Meta Platforms Ireland — Irish DPC, May 2023 (EUR 1.2 billion). The Irish Data Protection Commission's decision against Meta Platforms Ireland Limited (now known as Meta Platforms Ireland) imposed the largest GDPR fine to date — EUR 1.2 billion — for Meta's transfers of Facebook EU user data to the US under SCCs without adequate supplementary measures. The DPC found that Meta's TIA was deficient in failing to account for FISA Section 702 mass surveillance exposure applicable to the transferred data, and that the SCCs alone did not ensure adequate protection. The DPC also ordered suspension of future transfers and deletion of unlawfully transferred data. The decision, adopted under Article 65 GDPR binding dispute resolution (following EDPB override of the DPC's original draft decision), was appealed to the Irish High Court and is ongoing as of Q1 2026.

WhatsApp Ireland — Irish DPC, September 2021 (EUR 225 million). Also involving Meta's WhatsApp service, this decision principally addressed transparency obligations but included findings on cross-border transfers to WhatsApp's US parent entity.

TikTok — Italian Garante, various decisions 2021–2024. The Italian data protection authority (Garante per la protezione dei dati personali) imposed multiple fines on TikTok's EU operations arising from transfers of EU user data to China, where PIPL (China's Personal Information Protection Law, in force November 2021) provides a legal framework that the EDPB and national DPAs have assessed as not equivalent to GDPR standards. China does not have an EU adequacy decision. TikTok's SCCs for China transfers, and the adequacy of its TIA for China-specific government access risks (particularly under China's National Intelligence Law, Article 7, which requires organizations to "support, assist and cooperate with national intelligence work"), have been the subject of ongoing scrutiny.

SRB v Advocate General (CJEU, December 2023, C-337/21). The CJEU's judgment confirmed that GDPR Chapter V transfer restrictions apply to intra-EU institutions (EEA-to-EEA transfers not covered by Article 3 GDPR) and clarified the interaction between Article 46 transfer tools and public authority processing. While not directly about US transfers, the judgment confirmed the CJEU's expansive approach to the Chapter V "transfer" concept — relevant for organizations assessing whether their data processing architectures constitute a "transfer" triggering Chapter V obligations.

DPA Investigation Trends in 2025–2026

Several national DPAs have announced or are conducting active investigations into data transfer practices in 2025–2026:

German DSK (Conference of Independent Data Protection Supervisory Authorities): joint investigation into German companies' use of US cloud analytics tools (Google Analytics, Adobe Analytics, Salesforce) for website visitor data. The DSK's guidance documents have stated that IP addresses are personal data and that transmission of EU visitor data to US servers via analytics scripts constitutes a transfer requiring a valid Chapter V mechanism.
French CNIL: ongoing investigation into cookie consent banners and data transfers triggered by third-party tracking scripts — the intersection of ePrivacy Directive compliance and GDPR Chapter V is an active enforcement focus.
Dutch AP: investigation into healthcare sector cross-border transfers following a 2024 incident involving transfer of Dutch patient data to a US medical AI provider under SCCs where the TIA failed to assess the impact of HIPAA not covering the specific data processing at issue.

The pattern is clear: DPAs are moving beyond fining the largest platforms and are directing enforcement at mid-market companies in regulated sectors (healthcare, financial services, HR) that have relied on template SCCs without conducting bespoke TIAs.

Conclusion

The Schrems II judgment established a legal principle that has not been resolved by the DPF: EU fundamental rights law requires that EU personal data exported to the US enjoy protection that is "essentially equivalent" to GDPR standards, including effective judicial redress against government surveillance. Whether the DPRC satisfies that standard will be determined by the CJEU, not by the Commission's adequacy assessment. The prudent legal strategy is to treat the DPF as a convenience mechanism for the period during which it remains valid, while maintaining robust SCC and TIA infrastructure as the permanent baseline.

The organizations that will be best positioned — in regulatory standing, operational continuity, and litigation risk management — are those that have implemented SCCs across their processor relationships, maintained current TIA documentation, applied technical supplementary measures for sensitive data, and begun BCR preparation for intra-group transfers. This is not a compliance overhead choice; it is a risk management decision with directly calculable downside exposure.

Legal Disclaimer: This article is provided for general informational purposes only and does not constitute legal advice. The laws and regulations described are complex, subject to change, and vary depending on specific facts and circumstances. GDPR enforcement positions, CJEU judgments, and Commission adequacy decisions referenced herein are subject to ongoing legal developments. Nothing in this article should be relied upon as a substitute for advice from qualified legal counsel specializing in EU data protection and cross-border data transfer compliance. Morvantine and its contributors assume no liability for actions taken on the basis of the information contained herein.