| 

Schrems II and the Future of Cross-Border Data Transfers

MFA vs SSO

Many organizations assume their international data transfers are under control.

They rely on cloud providers, global software vendors, and cross-border workflows that have become part of everyday operations. People sign contracts, file compliance documents, and move forward under the assumption that existing safeguards are enough.

But when legal frameworks change, they test those assumptions. That is exactly what happened with Schrems II.

The ruling changed how organizations handle cross-border data transfers under the GDPR. It created uncertainty about international data flows. It forced companies to rethink how they transfer personal data outside the European Economic Area.

Cross-border compliance is not a one-time exercise. It is an ongoing responsibility.

As oversight grows and global data rules keep changing, organizations must plan for today’s duties and what comes next.

What Schrems II changed

The Court of Justice of the European Union issued the Schrems II decision in 2020. It struck down the EU-US Privacy Shield framework.

The court concluded that US surveillance laws did not provide protections equivalent to those guaranteed under EU law. This decision had immediate consequences for organizations relying on transatlantic data transfers.

Without the Privacy Shield, companies had to review how they sent personal data. They had to check transfers to the United States and to other third countries. The ruling did not prohibit international transfers entirely.

However, it reinforced that organizations must ensure the same level of protection for personal data. This applies regardless of where someone processes the data.

This is where GDPR standard contractual clauses became even more important.

But Schrems II also made it clear that contractual clauses alone are not always enough.

Organizations must evaluate whether the legal environment of the receiving country undermines those safeguards. That requirement introduced a new level of accountability.

Why another framework collapse is still possible

Since Schrems II, organizations have looked to replacement frameworks for stability.

The EU and the US introduced the Data Privacy Framework to restore legal certainty for transatlantic transfers. But many experts continue to question its long-term resilience.

The structural concerns raised in Schrems II — particularly around government surveillance and redress mechanisms — have not disappeared entirely. As a result, the possibility of another legal challenge remains.

For businesses, this creates a difficult reality. Compliance strategies built solely around political agreements can quickly become vulnerable.

If another framework becomes invalid, organizations may once again need to adapt with little warning.

This is why forward-looking companies are focusing less on temporary frameworks and more on sustainable transfer strategies. The goal is resilience, not short-term convenience.

Cross-border data transfers under GDPR

Under GDPR rules for cross-border data transfers, personal data can leave the EU only with strong safeguards.

These protections may include:

  • Adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Approved codes of conduct
  • Certification mechanisms

Among these, SCCs remain the most widely used.

But after Schrems II, their use requires more than simply signing a contract. Organizations must assess whether those clauses can be effectively upheld in practice.

This means understanding the legal, technical, and operational realities of each transfer. That responsibility cannot be delegated entirely to vendors. It belongs to the transferring organization.

The role of the data transfer impact assessment

A data transfer impact assessment has become one of the most important compliance tools in international transfers.

Its purpose is to evaluate whether personal data transferred to another country remains adequately protected.

This involves examining:

  • The nature of the data
  • The purpose of the transfer
  • The legal framework of the destination country
  • The likelihood of government access
  • The technical safeguards applied

A transfer impact assessment is not a checklist exercise.

It requires careful analysis and documentation.

For regulators, it demonstrates accountability. For organizations, it provides visibility into actual transfer risks. Without it, companies may struggle to justify their compliance decisions if challenged.

And in a post-Schrems environment, that justification matters.

Regional data localization trends

One of the most significant shifts since Schrems II is the rise of data localization.

Organizations are increasingly choosing — or being required — to keep data within specific jurisdictions.

This trend is driven by:

  • Regulatory pressure
  • Customer expectations
  • National digital sovereignty initiatives
  • Concerns over foreign access to data

In Europe, data residency has become a strategic consideration.

Cloud providers now promote regional hosting options, while organizations reassess vendor relationships based on data location. This does not mean globalization is ending.

But it does mean data architecture is becoming more regionally structured. For many companies, localization is no longer only a compliance response. It is part of broader risk management.

Why contractual safeguards alone are not enough

Before Schrems II, many organizations viewed contracts as sufficient protection.

If clauses were signed, the transfer was considered covered. That assumption no longer holds.

The ruling emphasized that legal safeguards must be effective in practice. If local laws override contractual protections, additional measures are necessary. This is why organizations must move beyond documentation and focus on enforceability.

Contracts remain essential, but they are only one layer of protection.

Without technical and organizational measures, they may not be enough.

Technical safeguards that actually work

The most effective response to transfer risk often lies in technical controls. These safeguards reduce exposure even when legal uncertainty exists.

Practical measures include:

Strong encryption

Data should be encrypted in transit and at rest. Key management should stay under the exporting organization’s control.

Pseudonymization

Removing direct identifiers limits the ability to connect transferred data to individuals.

Access controls

Strict permissions reduce unnecessary exposure and limit who can interact with sensitive information.

Data minimization

Only the necessary data should be transferred for the intended purpose.

Regional processing models

Keeping sensitive operations within trusted jurisdictions reduces dependency on international transfers.

These measures do not eliminate all risks.

But they significantly strengthen compliance positions.

And regulators increasingly expect them.

Building resilience for the future

The long-term solution is not to chase every new framework. It is to build systems that remain defensible regardless of legal shifts.

This means treating international data transfers as part of broader governance.

Organizations should:

  • Regularly review transfer mechanisms
  • Maintain updated transfer assessments
  • Reassess vendor risks
  • Strengthen technical protections
  • Align legal, privacy, and security teams

This approach creates resilience.

Instead of reacting to legal uncertainty, organizations become better prepared to manage it.

That shift is critical in an increasingly fragmented global data landscape.

How Sovy can help

Managing international transfers, legal requirements, and evolving risks can quickly become complex.

This is where Sovy Data Privacy Essentials provides practical support.

Sovy helps organizations centralize privacy operations, document transfer mechanisms, and maintain visibility into compliance requirements.

With a structured platform, you can:

  • Track cross-border data flows
  • Support transfer assessments
  • Maintain GDPR records
  • Align privacy processes across departments
  • Improve readiness for audits and regulatory scrutiny

Instead of using fragmented spreadsheets and manual tracking, organizations get a clearer, scalable way to manage privacy.

As transfer requirements continue to evolve, having the right system in place becomes essential.

Sovy GDPR Privacy Essentials helps organizations stay prepared, structured, and compliant in a changing regulatory environment.

Final thoughts

Schrems II changed more than legal frameworks. It changed expectations.

Organizations are now expected to actively evaluate transfer risks, implement meaningful safeguards, and demonstrate accountability across international operations.

The era of relying solely on contractual documents is over.

In its place is a more demanding but more resilient model of compliance.

As cross-border data transfers continue to face legal and political uncertainty, preparation matters more than ever.

Companies that invest in governance, technical safeguards, and long-term visibility will be better positioned for whatever comes next.

Because in global data privacy, adaptability is no longer optional. It is a competitive necessity.

FAQs

What is Schrems II?

Schrems II is a 2020 ruling by the Court of Justice of the European Union. It struck down the EU-US Privacy Shield. It also increased checks on international data transfers.

What are GDPR standard contractual clauses?

They are legal agreements approved by the European Commission. They help organizations transfer personal data outside the EU. They also maintain GDPR protections.

What is a data transfer impact assessment?

A data transfer impact assessment evaluates whether personal data transferred internationally remains protected under the laws and safeguards of the receiving country.

Are cross-border data transfers still allowed under GDPR?

Yes, but only when appropriate legal, technical, and organizational safeguards are in place.

Why is Schrems II still relevant in 2026?

Because it continues to shape how regulators and organizations approach international transfers, especially regarding US-based providers.

How can companies prepare for another framework collapse?

By strengthening technical safeguards, conducting transfer assessments, and building resilient compliance strategies beyond temporary legal agreements.

How can Sovy support cross-border data transfer compliance?

Sovy Data Privacy Essentials helps organizations manage privacy obligations, document transfer mechanisms, and maintain visibility into evolving compliance requirements.

Article by Irina