Navigating EU-US Data Transfers: Practical Guidance After Schrems II

The legal landscape for EU-US data transfers has been in flux since the Schrems II ruling. Organizations must understand the current options and risks for transferring personal data across the Atlantic.

Current Transfer Mechanisms

Adequacy decisions: The EU-US Data Privacy Framework provides an adequacy basis for transfers to certified US organizations. However, this framework faces legal challenge and may not be permanent.

Standard Contractual Clauses (SCCs): The most widely used transfer mechanism, but Schrems II requires organizations to assess whether SCCs actually protect data in practice, considering the surveillance laws of the destination country.

Binding Corporate Rules: Suitable for intra-group transfers within multinational organizations but require supervisory authority approval.

The Challenge with US Transfers

US surveillance law, particularly Section 702 of FISA and Executive Order 12333, allows broad intelligence collection of foreign data. This makes it difficult to provide the "essentially equivalent" level of protection that EU law requires. Technical measures like encryption may help but are insufficient when the data processor holds the decryption keys.

Practical Recommendations

Organizations should audit their data transfer map, assess the risk of each transfer, implement supplementary measures where possible, and consider EU-based alternatives for services that are available from European providers. For web analytics specifically, switching to an EU-hosted, privacy-respecting tool eliminates the data transfer issue entirely.