Cross-Border Data Transfers: Why Your German Data Sits on a US Server
In July 2020, the European Court of Justice issued a ruling that upended international data flows. The Schrems II decision invalidated the Privacy Shield framework—the mechanism allowing thousands of companies to transfer European personal data to the United States. Overnight, legal pathways that facilitated global internet operations became uncertain.
Three years later, businesses still navigate this uncertainty. New frameworks have emerged, but fundamental tensions between US surveillance law and European privacy rights remain unresolved. For individuals, understanding cross-border transfers explains why data protection varies dramatically depending on where your information travels—and why "the cloud" isn't a placeless abstraction.
Why Cross-Border Transfers Matter
The internet operates globally, but data protection laws operate nationally or regionally. When a German citizen uses a service hosted in California, their personal data crosses borders—and legal jurisdictions. This creates tension:
- European data protection standards are among the world's highest
- US surveillance law authorizes extensive government data access
- Companies want the efficiency of centralized global infrastructure
- Individuals expect consistent protection regardless of data location
Cross-border transfer rules attempt to resolve this tension by ensuring GDPR-level protection travels with data, even when it leaves European territory.
GDPR Chapter V: The Transfer Framework
The GDPR's Chapter V establishes that personal data cannot be transferred outside the European Economic Area unless adequate protection is maintained. The framework provides several transfer mechanisms:
Adequacy Decisions
The European Commission can determine that a country's data protection laws provide "adequate" protection—functionally equivalent to GDPR standards. When adequacy exists, data flows freely without additional safeguards.
Current adequate jurisdictions include:
- United Kingdom (post-Brexit adequacy decision)
- Canada (commercial organizations)
- Japan
- South Korea
- Argentina
- Israel
- New Zealand
- Uruguay
- Selected other countries
The United States is not currently considered adequate.
Standard Contractual Clauses (SCCs)
When no adequacy decision exists, companies can use standardized contractual commitments approved by the European Commission. These Standard Contractual Clauses require data importers (recipients) to promise GDPR-equivalent protection, subject to EU data protection authority oversight.
SCCs have been the workhorse of international data transfers for two decades. The European Commission updated SCCs in 2021 to address Schrems II concerns, adding requirements for transfer impact assessments and enhanced government access provisions.
Binding Corporate Rules (BCRs)
For intra-company transfers within multinational corporations, Binding Corporate Rules provide an alternative to SCCs. BCRs require approval from European data protection authorities and establish internal data protection policies binding across corporate entities.
BCRs are expensive to establish and maintain, making them practical primarily for large multinational organizations with significant European operations.
Certifications and Codes of Conduct
The GDPR authorized new transfer mechanisms including certifications and codes of conduct, but these remain limited in adoption and practical application.
Derogations
For specific, limited situations, derogations (exceptions) permit transfers without SCCs or adequacy decisions:
- Explicit consent from the data subject
- Necessary for contract performance
- Necessary for important public interest reasons
- Necessary for legal claims
- Necessary to protect vital interests
- Transfers from public registers
Derogations are narrowly construed and don't provide general transfer authorization.
Schrems II: The Earthquake
Max Schrems, an Austrian privacy activist, challenged Facebook's data transfers to the US. His case reached the European Court of Justice in 2020, producing the Schrems II decision with far-reaching consequences:
Privacy Shield Invalidated
The Court invalidated the EU-US Privacy Shield framework—a self-certification system allowing US companies to receive European data. The Court found that US surveillance law (specifically FISA Section 702 and Executive Order 12333) enabled government access to European data without adequate safeguards or redress mechanisms.
SCCs Survived—but With Conditions
Standard Contractual Clauses remained valid, but with crucial caveats. Companies using SCCs must verify that recipient countries provide adequate protection in practice, not just in contract. If local law undermines SCC protections, additional measures—or suspension of transfers—may be required.
The Fundamental Problem
Schrems II didn't just invalidate one mechanism—it highlighted a structural conflict. US national security law prioritizes surveillance capability. European privacy law prioritizes individual rights. These values clash when data flows across the Atlantic.
The Transfer Impact Assessment (TIA) Requirement
Post-Schrems II, companies using SCCs must conduct Transfer Impact Assessments (TIAs). These assessments:
Evaluate Recipient Country Laws
Analyze whether local law enables government access that could undermine SCC protections. For US transfers, this means examining FISA 702, Executive Order 12333, and CLOUD Act provisions.
Assess Supplemental Measures
If local law presents risks, companies must implement supplemental technical, contractual, or organizational measures to ensure protection. Common supplemental measures include:
- Encryption (in transit and at rest)
- Pseudonymization
- Contractual commitments beyond SCCs
- Organizational controls limiting access
Document and Review
TIAs must be documented and regularly reviewed as laws and practices evolve.
The TIA Problem
TIAs sound straightforward. They're not. Assessing foreign surveillance law requires legal expertise most companies lack. Evaluating whether supplemental measures "work" involves technical judgments about encryption strength and re-identification risks. And the entire analysis assumes you can accurately assess secret government surveillance capabilities.
Many companies struggle to complete defensible TIAs. Some proceed with transfers hoping enforcement doesn't target them. Others invest heavily in technical safeguards that may or may not satisfy regulators. The legal uncertainty slows deals, increases costs, and creates compliance anxiety.
Supplemental Measures: Technical Solutions?
Encryption is the most discussed supplemental measure. If data is encrypted in Europe, with keys held in Europe, transferred encrypted, and only decrypted in Europe, has a "transfer" actually occurred?
Data protection authorities have taken cautious positions. Encryption helps, but its effectiveness depends on:
- Who holds the keys? If the US recipient holds decryption keys, the encryption provides limited protection against government access.
- What processing occurs? If the US entity processes encrypted data (possible with some encryption schemes), different risks apply.
- Can governments compel decryption? Legal analysis must consider whether recipient country law could compel key disclosure.
Pseudonymization—replacing identifiers with tokens—provides additional protection but faces similar limitations if the pseudonymization key is accessible.
No supplemental measure provides perfect protection against determined government access. They raise the bar, making mass surveillance more difficult, but don't eliminate risks entirely.
The New EU-US Data Privacy Framework
In 2023, the European Commission adopted a new adequacy decision for the United States—the EU-US Data Privacy Framework. This followed Executive Order 14086, which established new safeguards for US signals intelligence activities:
What's New:
- New redress mechanism for EU individuals (Data Protection Review Court)
- Enhanced necessity and proportionality requirements for surveillance
- New oversight and compliance procedures
What's Contested:
Privacy activists immediately challenged the new framework. Critics argue:
- Executive orders can be changed by future administrations
- The redress mechanism may not provide effective remedy
- Bulk surveillance authorities remain largely intact
- The fundamental conflict between US surveillance priorities and EU privacy rights persists
Legal challenges are pending. Whether the new framework survives judicial review remains uncertain. Companies relying on it face potential future disruption if courts invalidate the adequacy decision.
Practical Impact on Businesses
The post-Schrems II landscape has fundamentally changed international data operations:
Increased Compliance Costs
TIAs, legal consultations, and technical implementations cost money. Small and medium businesses face disproportionate burdens.
EU Data Localization
Many companies have shifted to EU-only data storage for European customers. Cloud providers have expanded European data center capacity. Some companies now maintain entirely separate EU infrastructure.
Contract Complexity
Data processing agreements have grown longer and more complex. SCCs require attachments, TIA summaries, and supplemental measure descriptions.
Deal Friction
European companies increasingly scrutinize partners' data transfer arrangements. Due diligence now includes transfer impact assessments. Some deals slow or fail over transfer mechanism disagreements.
Vendor Consolidation
Companies prefer vendors with established EU presence and transfer compliance programs. Smaller vendors without EU infrastructure face competitive disadvantages.
What Individuals Can Do
Understanding cross-border transfers empowers privacy choices:
Check Privacy Policy Disclosures
Look for transfer disclosures. Does the company acknowledge international transfers? Do they mention Standard Contractual Clauses or other mechanisms?
Look for EU Data Residency Options
Many services now offer EU data residency—storing European user data exclusively in European data centers. This eliminates transfer complications entirely.
Review Subprocessor Lists for Geography
GDPR requires companies to list subprocessors. These lists often include geographic indicators, showing where data actually flows.
Submit GDPR Access Requests
Ask specifically where your data is stored and what transfer mechanisms apply. Companies must respond with this information.
Consider EU-Based Alternatives
When services are equivalent, choosing EU-based providers eliminates transfer risks and supports European data protection standards.
The Fundamental Tension Remains
Schrems II revealed something important: data transfer mechanisms are temporary solutions to a permanent conflict. US law prioritizes national security surveillance. European law prioritizes individual privacy rights. These values can't both fully prevail.
Executive Order 14086 and the new Data Privacy Framework represent compromise—not resolution. They add safeguards without fundamentally changing US surveillance authorities. They provide redress mechanisms that may or may not satisfy European courts.
Future litigation will test these compromises. The Schrems saga demonstrates that individual activists can reshape global data flows. Max Schrems didn't just challenge Facebook—he forced structural reconsideration of how the internet operates across borders.
Conclusion
Cross-border data transfers sit at the intersection of technology, law, and national sovereignty. The mechanisms enabling global data flows—adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules—are legal fictions that attempt to extend GDPR protection beyond European borders.
Schrems II revealed the limits of these fictions. When US law enables surveillance that European law forbids, contractual promises can't fully bridge the gap. Supplemental measures help but don't eliminate the fundamental conflict.
For businesses, the post-Schrems II landscape requires vigilance, investment, and acceptance of uncertainty. Transfer Impact Assessments, supplemental technical measures, and ongoing legal monitoring are now costs of international operation.
For individuals, understanding transfers explains why privacy protection varies by data location and why geographic choices matter. Your data on a European server faces different risks than your data on a US server—not because companies choose different protections, but because governments assert different authorities.
The Schrems saga continues. Legal challenges to the new Data Privacy Framework are pending. Surveillance technologies evolve. And the tension between security and privacy, between national authority and individual rights, persists across every data transfer.
Until that tension resolves, cross-border transfers remain one of the most complex and consequential areas of data protection law—affecting billions of data flows daily and reshaping how the global internet operates.
Related Articles:
- GDPR Data Rights: A Complete Guide
- Legitimate Interests Under GDPR
- Data Retention Policies: Why "Deleted" Doesn't Mean Gone
Sources:
- Schrems II (Case C-311/18)
- European Commission Standard Contractual Clauses (2021)
- EDPB Recommendations on Supplemental Measures
- Executive Order 14086
- EU-US Data Privacy Framework Adequacy Decision (2023)