At CPDP, a panel titled Beyond Adequacy: Fostering Trustworthy International Data Transfers examined how organisations and regulators can navigate the increasingly complex landscape of cross-border data flows as the GDPR approaches its 10-year milestone.
Speakers agreed that international data transfers remain one of the most persistent and operationally challenging areas of GDPR compliance. While legal frameworks such as adequacy decisions and Standard Contractual Clauses (SCCs) are well established, the environment continues to evolve through court rulings, geopolitical pressures, and divergent global regulatory expectations.
Transfers as a structural issue, not a niche topic
The panel emphasised that data transfers are a structural feature of the digital economy rather than a narrow compliance concern.
Tobias Judin, Head of International Section at the Norwegian Data Protection Authority, stressed that GDPR should be understood as a framework designed to deliver real-world protections rather than administrative formality. He reportedly noted that the key issue is not organisational size or compliance capacity, but whether meaningful safeguards are effectively implemented in practice.
He also highlighted that organisations often frame transfer compliance in overly binary operational terms, whereas GDPR already contains mechanisms intended to enable lawful transfers under appropriate safeguards.
Fragmentation and SCC dependency
A recurring concern was the fragmentation of guidance and enforcement across jurisdictions, which significantly increases operational complexity.
Lorelien Hoet, Director of EU Government Affairs at Microsoft, pointed to the lack of harmonised regulatory guidance as a key challenge. She noted that both SMEs and large multinational providers face similar structural difficulties when transferring data internationally, even if their resources differ.
Participants also highlighted the continued dominance of Standard Contractual Clauses, with some estimates suggesting that around 85% of SMEs rely on SCCs. While widely used, SCCs were described as complex and resource-intensive when combined with transfer impact assessments and evolving regulatory expectations.
Risk, adequacy, and legal uncertainty
The discussion returned repeatedly to the tension between risk-based and more absolutist interpretations of Chapter V GDPR. Several speakers suggested that Court of Justice case law has increased compliance uncertainty by requiring organisations to assess third-country legal systems in ways that are difficult to standardise.
Adequacy decisions were recognised as an important mechanism, but limited in scalability due to their political sensitivity and the small number of jurisdictions deemed adequate.
A layered approach and better use of GDPR tools
A key consensus was the need for a layered approach to international transfers, combining legal mechanisms, technical safeguards, and organisational measures rather than relying on a single transfer tool.
Anu Talus, Chair of the European Data Protection Board (EDPB), reportedly emphasised that GDPR already contains practical tools that are often underused in practice. She stressed the importance of making these tools more accessible and operational, including ongoing work on templates for transfer impact assessments to support consistency and usability.
Codes of conduct and certification as scalable mechanisms
The panel also explored the potential of codes of conduct and certification schemes under Articles 40 and 42 GDPR as scalable compliance tools.
Industry participants noted that these mechanisms can help reduce duplication by providing structured, sector-specific frameworks for demonstrating compliance. Lorelien Hoet referenced ongoing work on cloud-focused codes of conduct under Article 40 GDPR, describing them as pragmatic tools that translate legal requirements into operational practice.
These tools were seen as particularly valuable for SMEs, helping reduce reliance on repeated, case-by-case transfer assessments.
Simplicity, standards, and the role of industry
Kai Zenner, Head of Office and Digital Policy Adviser to MEP Axel Voss at the European Parliament, highlighted the limitations of overly detailed legislation in fast-moving technological areas. He suggested that codes of practice and industry standards can play a complementary role in making regulation more workable.
At the same time, speakers cautioned that standardisation processes must remain inclusive, as smaller organisations often lack the resources to participate meaningfully.
Looking ahead
The panel closed with reflections on the European Commission’s proposed GDPR simplification under the Digital Omnibus initiative. While simplification was broadly welcomed in principle, speakers stressed that it must preserve legal certainty and the core protections underpinning the GDPR.
Overall, the discussion reinforced a central message: the GDPR already contains many of the tools needed for effective international data transfers, but greater clarity, usability, and harmonisation are needed to make them work in practice.
