Comparing the transfer mechanisms & the future of restrictions
This pulls the four main routes together - adequacy decision, , BCRs, and Article 49 - and the book's outlook. Overcoming transfer restrictions is one of the hardest compliance challenges; the EU's appetite for a softer approach is low. Organisations are advised to build a global compliance programme tied to the Commission's adequacy criteria, anchored by a contractual mechanism or BCRs.
| Feature | Adequacy decision | Standard contractual clauses (SCCs) | Binding corporate rules (BCRs) | Article 49 derogations |
|---|---|---|---|---|
| Legal basis | Article 45 | Article 46 (appropriate safeguards) | Article 46 / Article 47 (appropriate safeguards) | Article 49 (derogations) |
| Who decides / approves | European Commission (implementing act) | Commission adopts the clauses; parties sign them - no specific authorisation needed | Supervisory authorities via the consistency mechanism | No approval; parties self-assess (some jurisdictions require SA notification) |
| Typical use | Transfers to a recognised adequate country | Most common general route to non-adequate countries | Intra-group transfers within a multinational | Last resort, specific situations only |
| Transfer impact assessment needed? | No - adequacy already decided | Yes - Schrems II requires assessing third-country law and supplementary measures | Yes - same assessment duty applies to Article 46 tools | N/A - relies on a specific derogation condition instead |
| Scope / flexibility | Whole country, territory or sector | Modular (4 modules: C2C, C2P, P2P, P2C) | Tailored, group-wide; controller or processor | Narrow, situation-specific; interpreted restrictively |
| Onward authorisation | None required | None required (clauses are pre-approved) | Approved once, then reusable across the group | None, but use restrictively / as a last resort |
Outlook: implementing the right mechanism in every case is onerous and time-consuming. Despite globalisation and surveillance threats, the EU institutions' appetite for a softer approach is likely to be low. The recommended strategy is a viable global data protection compliance programme aligned to the Commission's adequacy criteria, committed to via a contractual mechanism or BCRs.
The mechanisms follow a hierarchy: adequacy first; if none, appropriate safeguards (SCCs/BCRs); only then, as a last resort, the Article 49 derogations.