Europe Just Activated a New Tool for Cross-Border Data Transfers

When the GDPR took effect in 2018, it was not obvious that only a few of the Article 46 safeguards would be utilized to effectuate international data transfers outside of the EU.  Now in 2026, most transfers outside of those based on adequacy decisions are effectuated via the European Commission’s standard contractual clauses (SCCs).  Sitting quietly in the background though in Article 46(2)(f) is a transfer mechanism based on an approved certification mechanism.  Until April, this mechanism was all theoretical. 

Recently, the European Data Protection Board (EDPB) adopted Opinion 15/2026, approving the Europrivacy certification scheme as a European Data Protection Seal to be used as a transfer tool under Article 46(2)(f) GDPR.  The companion opinion, Opinion 14/2026, also expanded the general Europrivacy compliance certification, previously limited to EU and EEA-based organizations. to include entities outside the EEA that are subject to GDPR under Article 3(2).

Why This Matters (Especially For Non-EU Companies)

Companies that transfer personal data out of the EEA and which cannot rely on an adequacy decision (e.g. EU-US Data Privacy Framework) have largely relied on SCCs to do so lawfully.  SCCs work, but they come real operational weight including lengthy contracts and transfer impact assessments.

It is also worth noting that for US companies, the Data Privacy Framework itself is not on entirely solid ground.  It will continue to face attempts at invalidation for years to come. 

Against that backdrop, the Europrivacy transfer certification offers a concrete alternative. For a data importer that regularly receives personal data from multiple EEA exporters, this could substantially reduce the contract-by-contract burden that SCCs impose.

How The Certification Works

Under Opinion 15/2026, a non-EEA data importer would obtain Europrivacy certification under the Article 46 extension criteria. The certification covers specific data processing activities including the third country law applicable to the non-EEA importer, defined as the Target of Evaluation (or ToE).

The certification also requires the importer to commission a written legal expert assessment confirming that the law of the third country does not prevent compliance with the GDPR obligations embedded in the certification criteria. That assessment must be revisited whenever the legal or regulatory landscape in the third country changes in a material way.

The Practical Picture

For most organizations, SCCs will remain the go-to tool for international transfers as there is no upfront cost. But for data importers that receive high volumes of personal data from multiple EEA partners or where valuable EEA partners insist on a certification, the Europrivacy transfer certification offers a compelling alternative of one audit, one certificate, and a legally recognized safeguard. 

 Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE. This summary does not constitute legal advice.

Max LandawGDPR, EU