Deep-dive · Design 2.5

Letting data leave the EEA

Region choice is one of the first decisions you make and one you cannot reverse without a migration. Personal data leaves the EEA only with a valid mechanism, and since Schrems II that often means extra homework. Scroll through the decision.

The ruleDefault to an EU region, and do not let personal data leave the EEA without a valid mechanism (adequacy, SCCs plus a TIA, or BCRs). Region choice is nearly irreversible, so get it right in hour one.
EU personal datadefault: store in an EU region
↓ does it leave the EEA?
AdequacyArt. 45 · UK, Switzerland, DPF-certified US
SCCs / BCRsArt. 46 · plus a TIA
DerogationArt. 49 · narrow
↓ if the destination's surveillance law is a problem
Supplementary measuresEU-held keys, pseudonymisation, contractual
Hidden transferscontrol plane, IAM, support, global services
Step 1 · the first decision

Default to an EU region

Pick an EU region as the primary home for any EU-personal-data system, even if your company's centre of gravity is elsewhere. Defaulting to us-east-1 is the most common avoidable mistake, and it is nearly irreversible.

Step 2 · the gate

Leaving the EEA needs one valid mechanism

Data may go outside the EEA only with (a) an adequacy decision, (b) appropriate safeguards such as SCCs or BCRs, or (c) a narrow Art. 49 derogation. No mechanism, no transfer.

Step 3 · the easy path

Adequacy, where it exists

For an adequacy country (Art. 45) the transfer needs no extra safeguard. The list includes the UK, Switzerland, Japan, and the US for organisations self-certified to the Data Privacy Framework. Treat the DPF as "valid today, verify before relying on it": a CJEU appeal is pending.

Step 4 · the common path

SCCs, and the Schrems II homework

Standard Contractual Clauses (Art. 46) are the usual route. Since Schrems II they are not enough on their own: run a Transfer Impact Assessment, and where the destination's surveillance law is problematic, add supplementary measures.

Step 5 · not a default

Derogations are exceptions, not patterns

Art. 49 derogations (explicit consent, contract necessity, legal claims) are for one-off situations. "Explicit consent" for routine transfers is fragile; "necessary for the contract" is narrow. Do not build on them.

Step 6 · the strongest measure

Keys you hold in the EU

"Encrypted with keys we control in the EU" is the strongest supplementary measure. Use customer-managed keys in an EU KMS for anything that touches non-EU infrastructure, even ancillary services like CDN, observability and support tooling. Keep a transfer register parallel to the RoPA.

Step 7 · the trap

"We use Frankfurt" is not a complete answer

Control plane operations, IAM, billing metadata, support data and some global services involve US processing regardless of the data-plane region. And residency is not sovereignty: under the CLOUD Act a US-headquartered provider can be compelled to produce data even when it sits in the EU. Document those flows; consider sovereign-cloud options where it matters.