Cross‑border Data Transfers After the DPF Appeal: Preparing for Schrems III

Cross‑border data transfers after the DPF appeal have become the single most urgent compliance question facing Austrian controllers and processors that rely on the EU‑US Data Privacy Framework for transatlantic data flows. The appeal proceedings, most prominently the Latombe v. CNIL challenge now before the Court of Justice of the European Union (CJEU), could produce what many in the industry already call a Schrems III ruling, potentially invalidating the DPF adequacy decision in much the same way its predecessors, Safe Harbor and Privacy Shield, were struck down.

This guide provides an Austria‑focused operational playbook: the legal background of the DPF appeal, the fallback transfer mechanisms available under the GDPR, a step‑by‑step Transfer Impact Assessment process, and a practical stress‑test checklist that in‑house legal teams can implement immediately.

TL;DR, What Austrian Businesses Must Know Now

The EU‑US Data Privacy Framework remains in force, but live proceedings before the CJEU mean its long‑term survival is uncertain. Austrian businesses that transfer personal data to the United States should not wait for a ruling before acting. The following four priorities should be on every compliance team’s agenda today:

• Audit and map all US‑bound data transfers. Identify every processing activity that relies solely on the DPF adequacy decision, these are the transfers at immediate risk if the decision is set aside.
• Conduct or refresh Transfer Impact Assessments (TIAs). Document the legal landscape of the recipient country and the supplementary measures in place.
• Layer Standard Contractual Clauses (SCCs) underneath the DPF. Dual‑basis transfers provide a contractual safety net that can absorb the shock of an adverse ruling.
• Brief your board and prepare a 72‑hour escalation plan. A sudden invalidation would require rapid contractual and technical responses, advance planning is essential.

Background: DPF, Latombe v. CNIL and the Road to the CJEU

The European Commission adopted the EU‑US Data Privacy Framework adequacy decision on 10 July 2023, following extensive negotiations with the United States aimed at addressing the deficiencies identified by the CJEU when it invalidated the Privacy Shield in Schrems II (Case C‑311/18). The DPF introduced new safeguards, notably Executive Order 14086 limiting US intelligence agencies’ access to EU personal data and creating a Data Protection Review Court (DPRC), and was designed to withstand exactly the kind of proportionality scrutiny that had doomed its predecessor.

Challenges to the adequacy decision were filed almost immediately. French member of parliament Philippe Latombe brought an action before the General Court of the EU (Case T‑553/23), arguing that the DPF failed to ensure a level of protection essentially equivalent to that guaranteed within the EU, particularly regarding US signals intelligence practices and the independence of the DPRC. On 3 September 2025 the General Court dismissed the action, holding that the applicant had not demonstrated manifest errors of assessment by the Commission. Industry observers note that the court’s reasoning left several substantive questions open, including the practical effectiveness of the redress mechanism and the scope of bulk data collection under Executive Order 14086.

Key Legal Questions Before the CJEU

Latombe appealed the General Court’s ruling to the CJEU, where the case is now pending. The core legal questions the CJEU is expected to address include:

• Proportionality of US surveillance. Whether Executive Order 14086 constrains bulk collection sufficiently to meet the GDPR’s essential‑equivalence standard.
• Independence of the DPRC. Whether the review court operates with genuine judicial independence comparable to EU standards.
• Effective remedy. Whether EU data subjects have a meaningful and enforceable right of redress against US intelligence agencies.
• Standard of review. Whether the General Court applied the correct legal test when assessing the Commission’s margin of appreciation.

These questions mirror, in substance, the concerns that brought down both Safe Harbor and Privacy Shield. A ruling against the DPF would produce the anticipated Schrems III scenario.

If the DPF Falls: Immediate Legal Consequences for Cross‑Border Data Transfers

Should the CJEU set aside the DPF adequacy decision, the legal consequences would be immediate and far‑reaching. Every transfer of personal data from the EEA to the United States that relies solely on the adequacy decision would lose its legal basis under Article 45 of the GDPR overnight. Unlike a legislative phase‑out, a court annulment typically takes effect without a transitional period, as was the case with Privacy Shield in July 2020.

For Austrian controllers, the practical effects would include:

• Contracts relying exclusively on DPF certification become non‑compliant. Data processing agreements that cite the DPF as the sole transfer mechanism would need to be amended or supplemented before the next transfer takes place.
• Enforcement exposure rises sharply. The Austrian Data Protection Authority (Datenschutzbehörde, DSB) has historically been proactive in enforcing transfer rules, it was, after all, an Austrian complaint that triggered Schrems I. Early indications suggest the DSB would be among the first supervisory authorities to scrutinise ongoing transfers.
• Vendor and SaaS dependencies become critical. Austrian businesses using US‑headquartered cloud, payroll, HR, or analytics platforms may face operational disruption if those vendors cannot offer alternative transfer mechanisms at short notice.

The three immediate operational actions for any Austrian controller or processor are: (1) halt any new data‑sharing arrangements that depend solely on DPF adequacy; (2) assess every existing US‑bound transfer for alternative legal bases; and (3) document the assessment and escalate to the DPO and senior management within 72 hours.

Fallback Transfer Mechanisms: SCCs, BCRs and Cross‑Border Data Transfers After the DPF Appeal

The GDPR provides several alternative mechanisms for cross‑border data transfers after a DPF appeal that should be layered into every compliance strategy. None of these alternatives is a perfect substitute, but each offers a legally recognised pathway that remains available regardless of the DPF’s fate.

Standard Contractual Clauses (SCCs)

Standard contractual clauses adopted by the European Commission under Article 46(2)(c) of the GDPR remain the most widely used alternative transfer mechanism. The current modular SCCs (Commission Implementing Decision 2021/914) cover controller‑to‑controller, controller‑to‑processor, processor‑to‑processor, and processor‑to‑controller scenarios. Crucially, the CJEU confirmed in Schrems II that SCCs are valid in principle, but only where the data exporter has verified, through a transfer impact assessment, that the legal framework of the recipient country does not impair the protections the clauses guarantee. This means SCCs alone are not a fire‑and‑forget solution; they must be paired with supplementary measures and ongoing monitoring.

Binding Corporate Rules (BCRs)

For multinational corporate groups, binding corporate rules approved under Article 47 of the GDPR offer a long‑term, organisation‑wide solution. BCRs require approval by a lead supervisory authority and recognition by all concerned EEA supervisory authorities through the consistency mechanism. The process typically takes 12 to 24 months, and the administrative cost is significant. However, BCRs provide a durable internal framework that is less vulnerable to the political and judicial volatility that affects adequacy decisions. For Austrian headquarters of international groups, early engagement with the DSB on BCR applications is advisable.

Supplementary Measures

The European Data Protection Board (EDPB) Recommendations 01/2020 on supplementary measures set out a six‑step process for evaluating whether additional technical, contractual, or organisational safeguards can compensate for deficiencies in a recipient country’s legal regime. Key supplementary measures include:

• Technical: End‑to‑end encryption where the decryption keys remain solely under the exporter’s control; pseudonymisation before export; split processing across jurisdictions.
• Contractual: Transparency obligations requiring the data importer to notify the exporter of any government access requests; commitments to challenge disproportionate requests; audit rights.
• Organisational: Internal access controls limiting who within the importing entity can access transferred data; regular compliance reporting; joint data protection officer appointments.

Comparison of Transfer Mechanisms

How to Run a Transfer Impact Assessment: Step‑by‑Step

A transfer impact assessment is the documented evaluation that GDPR Article 46 transferors must complete whenever they rely on SCCs or BCRs. The EDPB’s Recommendations 01/2020 provide the analytical framework. The following eight‑step process adapts that framework to the operational reality of Austrian controllers.

1. Map the transfer. Identify the categories of personal data, the purpose and legal basis of the transfer, and the identity and location of every recipient (including sub‑processors).
2. Identify the transfer mechanism. Confirm whether the transfer relies on SCCs, BCRs, or a derogation under Article 49, and note whether DPF certification is also in place.
3. Assess the recipient country’s legal framework. Analyse the surveillance, law‑enforcement access, and government‑disclosure laws of the destination country. For US transfers, this means evaluating FISA Section 702, Executive Order 12333 (as modified by EO 14086), and the effectiveness of the DPRC.
4. Evaluate whether the legal framework impairs the safeguards. Apply the CJEU’s essential‑equivalence test: do the recipient country’s laws allow access to transferred data in a manner that goes beyond what is necessary and proportionate in a democratic society?
5. Identify supplementary measures. Determine what technical, contractual, and organisational measures can bridge any gap. Document why each measure is effective.
6. Implement the supplementary measures. Amend contracts, deploy encryption, adjust access controls, and train relevant staff.
7. Perform a residual‑risk assessment. After supplementary measures are in place, re‑evaluate whether the overall level of protection is essentially equivalent to that in the EEA. If it is not, the transfer must be suspended.
8. Document and review. Record the assessment, the decision, and the rationale. Set a review date, at minimum annually, or triggered by any material change in the recipient country’s legal framework or by a relevant court ruling.

TIA Evidence Pack: What to Keep for Regulators

Austrian controllers should maintain a TIA dossier that includes, at minimum:

This dossier serves a dual purpose: it satisfies the GDPR’s accountability principle under Article 5(2), and it provides the DSB with the evidence it would request during an investigation. Regulators have made clear that an incomplete or absent TIA is itself a compliance failure, independent of whether the underlying transfer turns out to be lawful.

Parallel Adequacy Reviews and Comparative Precedent: UK and EU‑Brazil

The DPF appeal does not exist in a vacuum. Two other adequacy developments offer comparative lessons for Austrian compliance teams.

UK adequacy. The European Commission’s adequacy decision for the United Kingdom, adopted in June 2021, included a sunset clause requiring review. The UK’s own data protection regime under the UK GDPR and Data Protection Act 2018 has been the subject of reform proposals, and the UK Information Commissioner’s Office (ICO) continues to issue guidance on international transfers. Industry observers expect the Commission’s adequacy review to scrutinise the UK’s evolving approach to surveillance and automated decision‑making. For Austrian businesses transferring data to the UK, the lesson is clear: adequacy decisions are inherently time‑limited and politically contingent, the same layered approach (SCCs plus supplementary measures) recommended for US transfers should apply to UK transfers as well.

EU‑Brazil adequacy. The European Commission’s adequacy decision for Brazil, the first for a major Latin American economy, is widely viewed as a more structurally durable model because it was adopted after Brazil enacted the Lei Geral de Proteção de Dados (LGPD), which closely mirrors the GDPR in scope and enforcement architecture. The decision demonstrates that adequacy is most resilient when the recipient country’s domestic law provides independent supervisory oversight and effective judicial remedies, precisely the elements the DPF’s critics argue are absent in the US framework.

Practical Stress‑Test Checklist for Austrian Businesses

The following checklist is designed for compliance teams, operational managers, and procurement functions within Austrian organisations. It is structured into four domains with a phased escalation timeline.

Legal

• Complete a full inventory of all third‑country data transfers, specifying the transfer mechanism for each.
• Run or update TIAs for every SCC‑based or DPF‑based transfer to the United States.
• Amend existing SCCs to include supplementary clauses, for example: “The data importer shall promptly notify the data exporter of any legally binding request for disclosure of personal data by a public authority, unless otherwise prohibited. The data importer shall challenge any request it considers disproportionate under applicable law and shall exhaust available appeal mechanisms before disclosing any data.”
• Review whether any transfers qualify for Article 49 derogations (explicit consent, contractual necessity) as a last‑resort fallback.

Technical

• Deploy end‑to‑end encryption for data in transit and at rest, ensuring decryption keys are held exclusively within the EEA.
• Evaluate data localisation options, can the processing be performed within the EEA or in an adequate jurisdiction instead?
• Implement pseudonymisation or anonymisation before export wherever operationally feasible.

Contractual and Vendor Management

• Add audit rights to all data processing agreements permitting on‑site and documentary review of the importer’s compliance.
• Include data‑localisation clauses requiring the vendor to store and process data in specified jurisdictions.
• Insert termination provisions triggered by a change in adequacy status, giving the exporter the right to suspend or terminate transfers within a defined period.

Governance and Escalation Timeline

• Within 72 hours of an adverse ruling: Activate the incident response plan; suspend transfers that lack an alternative legal basis; notify the DPO and executive board.
• Within 30 days: Complete TIA updates for all remaining transfers; execute SCC amendments; brief affected business units and key vendors.
• Within 90 days: Conclude BCR applications (if applicable); implement technical supplementary measures; conduct a governance review and document lessons learned.

Timeline of Likely Scenarios and Next Steps

The CJEU’s timeline for deciding the DPF appeal is uncertain, but historical precedent and procedural indicators allow for broad scenario planning:

• Fast‑track scenario (3–9 months): The CJEU prioritises the case, issues an expedited judgment or refers specific questions to the Advocate General for an early opinion. Industry observers consider this plausible if the court considers the issue of high systemic importance.
• Standard scenario (9–18 months): The case follows the normal appeals timetable, with an Advocate General’s opinion followed by a Grand Chamber judgment. This is the most probable trajectory based on comparable privacy cases.
• Extended scenario (18+ months): Procedural delays, requests for additional submissions, or intervening political developments (such as renegotiation of the DPF) lengthen the process. Under this scenario, the DPF remains in effect but under a cloud of legal uncertainty.

Regardless of which timeline materialises, the recommended action cadence remains the same: act now, review quarterly, and maintain the ability to shift to alternative transfer mechanisms at short notice.

Conclusion: Preparing for Cross‑Border Data Transfers After the DPF Appeal

The DPF appeal represents the third major test of the EU‑US data transfer framework in barely a decade. For Austrian businesses, the lesson from Schrems I and Schrems II is unambiguous: reliance on a single transfer mechanism is a strategic vulnerability. Organisations that layer SCCs with robust supplementary measures, maintain current TIAs, and build operational contingency plans will be best positioned to absorb the impact of a Schrems III ruling, whenever it comes.

Cross‑border data transfers after the DPF appeal demand proactive, documented, and multi‑layered compliance. Austrian controllers should treat the current period not as a waiting game but as an opportunity to stress‑test their data transfer architecture and close any gaps before the CJEU delivers its judgment.

For tailored guidance on TIA preparation, SCC amendments, or BCR applications under Austrian law, explore the Global Law Experts lawyer directory to connect with a data protection specialist.

Last reviewed: 25 May 2026

Sources

1. European Commission, Rules on Transfers Outside the EU
2. European Data Protection Board (EDPB)
3. Austrian Data Protection Authority (Datenschutzbehörde, DSB)
4. U.S. Department of Commerce, EU‑US Data Privacy Framework
5. Inside Privacy
6. WilmerHale
7. UK Information Commissioner’s Office (ICO)
8. Ogletree Deakins