Cross-border data transfers remain one of GDPR's most complex and contentious areas. Articles 44 through 49 establish the framework: personal data may only be transferred to countries outside the EU/EEA if adequate safeguards are in place. The practical implementation of this requirement has evolved dramatically since Schrems II invalidated the EU-US Privacy Shield in July 2020.
The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a new adequacy mechanism for transfers to certified US organizations. However, the DPF faces ongoing legal challenges, and many privacy professionals question its long-term viability. Organizations relying on the DPF should maintain contingency plans — including Standard Contractual Clauses (SCCs) with supplementary measures — in case the framework is invalidated.
Standard Contractual Clauses remain the most widely used transfer mechanism. The European Commission's updated SCCs (adopted June 2021) introduced a modular approach covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. Organizations must complete a Transfer Impact Assessment (TIA) for each transfer, evaluating whether the destination country's legal framework provides essentially equivalent protection.
For websites, the most common transfer issue involves third-party services. Loading Google Analytics, Meta Pixel, or similar technologies typically involves transferring personal data (IP addresses, device identifiers, behavioral data) to US-based servers. The CJEU's Schrems II logic applies to these transfers: if US surveillance law could compel access to the data, SCCs alone may not be sufficient without additional technical safeguards like encryption or pseudonymization.
Several European DPAs have taken enforcement action specifically on website-related transfers. The Austrian DSB and French CNIL both found Google Analytics implementations unlawful under Schrems II. While the DPF has provided temporary relief, organizations should evaluate whether server-side analytics, EU-based proxies, or alternative providers might reduce their transfer risk.
Vakteye's scanning engine detects cross-border transfers by analyzing network requests, server locations, and cookie domain ownership. We identify which third-party services receive personal data, where their servers are located, and whether the transfers are covered by an adequate legal mechanism. This gives organizations a clear inventory of their transfer exposure — the essential first step toward compliance.
The intersection of AI services and cross-border transfers adds new complexity. Organizations using cloud-based AI APIs (for content generation, translation, or analytics) may be transferring personal data to third-country servers without realizing it. A transfer assessment must now include AI service providers alongside traditional analytics and marketing tools.