International data transfers have lived in a state of managed anxiety since Schrems II. Standard Contractual Clauses do the heavy lifting, the EU-US Data Privacy Framework covers the single largest transfer corridor, and binding corporate rules serve the largest multinationals. Beyond that, the toolkit has thinned out. Approved certification mechanisms under Article 46 GDPR, which the text of the regulation has long contemplated, have essentially not existed in practice.
That changed today. The European Data Protection Board has taken two decisions on Europrivacy, the European Data Protection Seal maintained by the Luxembourg-based European Centre for Certification and Privacy. First, the EDPB has extended Europrivacy so organisations outside the EU and EEA can use it to demonstrate GDPR compliance. Second, it has approved a specific version of the Europrivacy criteria to function as an Article 46 mechanism — an appropriate safeguard under which personal data can be transferred to a controller or processor outside the EEA.
For companies that have been relying on SCCs plus supplementary measures to move data outside the bloc, the Article 46 route now offers an alternative: certify under Europrivacy's EDPB-approved criteria, combine that with binding and enforceable commitments by the data importer, and the transfer has a recognised legal foundation without needing a contract stack rebuilt for every counterparty.
The certification itself is not new. Europrivacy was approved as the GDPR European Data Protection Seal under Article 42 in 2022 and has been in use by EU-established organisations since. What the EDPB has done this week is two things the scheme lacked: geographic reach beyond the EEA, and legal effect as a transfer mechanism rather than only as a compliance demonstration tool.
Three things to hold in mind.
The Article 46 route is not an automatic green light. The EDPB decision approves the criteria; individual transfers still require the importer to make binding and enforceable commitments, and ongoing audit discipline is assumed. This is not a Privacy Shield replacement that anyone can opt into by ticking a box.
The regime is aligned with Interprivacy, the international certification scheme endorsed by the International Accreditation Forum and its 96 national accreditation authorities, which addresses obligations under regulations such as Convention 108+, the Global CBPR Forum, the APEC declaration and the Malabo Convention. In practice, the two schemes share most criteria, which is the plumbing that makes "GDPR certification goes global" meaningful rather than rhetorical.
The practical effect depends on the certification body pipeline. Europrivacy is delivered by accredited bodies under ISO/IEC 17065 and 17021-1. If the capacity to audit, certify and maintain the Seal at international scale is there, the mechanism works. If it is not, the decision is a headline rather than an operational shift.
For privacy officers currently running transfer impact assessments, the decision is worth reading. For everyone else, it is the first time in several years that the Article 46 toolbox has actually gained a tool.
Read more: europrivacy.org
