Governance, regulation, and compliance
By the end of this module you will be able to:
- Identify the correct GDPR lawful basis for a given data processing activity
- Explain the Schrems II ruling and its implications for international data transfers
- Apply the accountability principle to design a compliance-by-design data architecture
Real-world enforcement · May 2023
Meta fined €1.2 billion for transferring EU user data to the US without adequate safeguards
In May 2023, the Irish Data Protection Commission (DPC) issued the largest GDPR fine in history: €1.2 billion against Meta Platforms Ireland, plus an order to suspend data transfers from the EU to the US within 5 months. The root issue was Schrems II.
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield framework in the Schrems II ruling. The court found that US surveillance law (particularly FISA Section 702 and Executive Order 12333) did not provide EU citizens with equivalent protections to those guaranteed under EU law. Standard Contractual Clauses (SCCs) - the main alternative transfer mechanism - were still valid in principle but required a case-by-case Transfer Impact Assessment (TIA) to verify that the recipient country's legal framework did not undermine the SCCs.
Meta had continued transferring data using SCCs without conducting adequate TIAs. The DPC found this insufficient. The EU-US Data Privacy Framework (agreed July 2023) has since created a new transfer mechanism, but Meta's €1.2 billion fine remains a landmark demonstration that international data transfer compliance has direct financial consequences.
Meta processed EU user data on US servers under Standard Contractual Clauses. The Irish DPC ruled these clauses were insufficient because US surveillance law (FISA 702) meant EU data was not adequately protected. What must an organisation do when transferring personal data across jurisdictions?
With the learning outcomes established, this module begins by examining gdpr: six lawful bases for processing in depth.
25.1 GDPR: six lawful bases for processing
GDPR Article 6 requires that every processing activity of personal data have a lawful basis. The controller must identify and document the basis before processing begins; switching bases after the fact is not permitted. The six lawful bases are:
- Consent (Article 6(1)(a)): The data subject has given freely given, specific, informed, and unambiguous consent. Consent must be as easy to withdraw as to give. Consent is appropriate for marketing emails, optional analytics, and personalisation. It is the weakest basis because it can be withdrawn at any time.
- Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract with the data subject, or to take pre-contractual steps. Delivering an order to the address provided is processing under contract. Behavioural advertising is not: Meta's €390M fine (January 2023) arose from claiming advertising was necessary for the social media service contract.
- Legal obligation (Article 6(1)(c)): Processing is required by law. Tax reporting, anti-money laundering checks, and employment records are examples. Legal obligation overrides erasure requests.
- Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life. Sharing a patient's blood type with emergency services. Intended as a last resort when the subject cannot consent.
- Public task (Article 6(1)(e)): Processing is necessary for a public authority to perform a statutory function. NHS patient records for treatment, HMRC tax assessments, police investigations.
- Legitimate interests (Article 6(1)(f)): The controller has a legitimate interest that is not overridden by the rights and interests of the data subject, after a documented balancing test. Available to private sector organisations; not available to public authorities acting in an official capacity. Fraud prevention, network security monitoring, and direct marketing to existing customers are common legitimate interest use cases.
With an understanding of gdpr: six lawful bases for processing in place, the discussion can now turn to international transfers: schrems ii and the data privacy framework, which builds directly on these foundations.
“The controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data.”
GDPR Regulation (EU) 2016/679 - Article 5(2) - the accountability principle
The accountability principle is the foundation of GDPR compliance. It is not enough to comply; the controller must be able to demonstrate compliance through records of processing activities, privacy impact assessments, data protection policies, staff training logs, and contractual evidence. In an enforcement investigation, the ICO or DPC will ask for documentation. Organisations without records cannot demonstrate compliance even if they are in fact compliant.
25.2 International transfers: Schrems II and the Data Privacy Framework
Transferring personal data from the EU to a country outside the European Economic Area (EEA) requires that the recipient country provides an "adequate level of protection." The European Commission publishes adequacy decisions for specific countries (UK has a time-limited adequacy decision post-Brexit; Japan, New Zealand, and others have full decisions). For countries without adequacy decisions (including the US until the 2023 EU-US Data Privacy Framework), transfers require alternative safeguards.
Standard Contractual Clauses (SCCs) are pre-approved contract terms that impose GDPR-equivalent obligations on the data importer. Following Schrems II (July 2020), using SCCs alone is insufficient: the controller must conduct a Transfer Impact Assessment (TIA) analysing whether the recipient country's surveillance law allows the importing organisation to honour the SCC commitments. If the law does not, supplementary technical measures (such as end-to-end encryption where the importer holds no keys) may be required.
The EU-US Data Privacy Framework (DPF, adopted July 2023) reinstated an adequacy mechanism for US organisations certified under the framework, addressing the surveillance law objections through Executive Order 14086 (which established a Data Protection Review Court). UK Extension to the DPF was approved in October 2023, covering UK-to-US transfers. Organisations relying on Privacy Shield must recertify under DPF. However, the framework faces ongoing legal challenges and may be subject to further Schrems litigation.
Binding Corporate Rules (BCRs) provide a third mechanism for multinational organisations to transfer data internally across countries. BCRs require approval from a lead supervisory authority and apply to all entities within the corporate group. The approval process typically takes 18-24 months and is only practical for large organisations with significant global data flows.
With an understanding of international transfers: schrems ii and the data privacy framework in place, the discussion can now turn to uk gdpr, nis2, and the compliance landscape, which builds directly on these foundations.
Common misconception
“Encrypting data before transferring it to a US cloud provider fully resolves Schrems II compliance concerns.”
Encryption reduces risk but does not automatically resolve the transfer concern. The key question is: who holds the encryption keys? If the US cloud provider holds the keys, US surveillance authorities can compel access to the decrypted data, which means the transfer may still undermine the SCC commitments. The only technical measure that fully addresses Schrems II is end-to-end encryption where the EU-based controller retains all encryption keys and the US processor cannot access plaintext. This rules out most standard cloud services in their default configurations.
25.3 UK GDPR, NIS2, and the compliance landscape
Following Brexit, the UK retained GDPR in domestic law as UK GDPR (Data Protection Act 2018, amended by the European Union (Withdrawal) Act 2018). UK GDPR is substantively identical to EU GDPR in most respects, but UK organisations must consider two separate regulatory regimes: EU GDPR applies to processing related to EU residents, and UK GDPR applies to processing related to UK residents.
The UK government has pursued regulatory divergence: the Data (Use and Access) Act 2025 (previously the Data Protection and Digital Information Bill) introduces reforms including a more flexible approach to automated decision-making, new digital identity provisions, and changes to the legitimate interests balancing test. UK organisations should monitor ICO guidance rather than assuming UK GDPR and EU GDPR remain aligned.
The EU NIS2 Directive (Network and Information Systems Directive 2, adopted October 2022, transposition deadline October 2024) extends cybersecurity obligations to a much broader set of sectors than the original NIS1. Essential entities (energy, transport, health, water, digital infrastructure) and important entities (postal services, waste management, manufacturing, food, research) must implement proportionate security measures, report significant incidents to national authorities within 24 hours (initial notification) and 72 hours (full report), and ensure supply chain security. Senior management is personally liable for compliance failures.
A retail company wants to send promotional emails about new products to customers who have previously purchased. The marketing team argues this is legitimate interests; the legal team argues consent is required. Under GDPR, which is correct?
Following the Schrems II ruling, a UK fintech transfers customer personal data to a US data analytics partner under updated SCCs. The DPO has not yet conducted a Transfer Impact Assessment. What risk does the organisation face?
A healthcare data platform subject to NIS2 (as an essential entity) experiences a ransomware attack at 09:00 on Monday. By when must it make its initial notification to the national competent authority, and what must that notification contain?
Key takeaways
- Every GDPR processing activity requires one of six lawful bases, documented before processing begins: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Misidentifying the basis (e.g. claiming contract for behavioural advertising) is an enforcement trigger.
- Schrems II (July 2020) invalidated Privacy Shield and requires Transfer Impact Assessments for any transfer to a non-adequate country using SCCs. The EU-US Data Privacy Framework (July 2023) provides a new adequacy mechanism for certified US organisations.
- The accountability principle (GDPR Article 5(2)) requires that compliance be demonstrable through documented records, not merely achieved. RoPA, DPIAs, training logs, and contractual evidence are the artefacts that demonstrate compliance.
- NIS2 extends cybersecurity notification obligations to essential and important entities in 18 sectors, with 24-hour early warning and 72-hour full notification requirements. Senior management is personally liable for compliance failures.
Standards and sources cited in this module
Full text of the regulation including Article 6 (lawful bases), Article 5(2) (accountability), Article 30 (RoPA), Article 35 (DPIA), and Article 46 (international transfer mechanisms).
CJEU, Data Protection Commissioner v Facebook Ireland (Schrems II), Case C-311/18 (July 2020)
Landmark ruling invalidating Privacy Shield and establishing the TIA requirement for SCCs-based transfers.
EU-US Data Privacy Framework (July 2023)
The current adequacy mechanism for EU-US transfers. Includes the DPF principles and certification process.
Irish DPC Decision on Meta Platforms Ireland (May 2023)
Source for the EUR1.2 billion fine and the suspension order for EU-US data transfers under SCCs.
Full text of NIS2 including the notification timeline (Article 23) and the expanded scope of essential and important entities.
UK ICO: Lawful basis for processing
Practical guidance on choosing and documenting the lawful basis under UK GDPR, including the Legitimate Interests Assessment checklist.
Module 25 of 26 · Practice & Strategy