The European Data Protection Board (EDPB) has approved the global expansion of the Europrivacy certification scheme, enabling companies outside Europe to use it as a formal mechanism for international data transfers under the General Data Protection Regulation (GDPR).
The decision, adopted on 15 April 2026, allows Europrivacy to function both as a European data protection seal and as a recognised safeguard for transferring personal data to third countries under Article 46 GDPR. The move introduces a certification-based pathway for organisations handling cross-border data flows, particularly where no adequacy decision exists.
According to the European Centre for Certification and Privacy, which developed the scheme, the change enables companies worldwide subject to GDPR obligations to demonstrate compliance through independent audits. The organisation said the extension would “facilitate international data transfers” while strengthening trust and legal certainty for businesses operating across jurisdictions.
The EDPB’s opinion follows a formal process triggered by Luxembourg’s supervisory authority, which submitted updated criteria in January 2026. The board concluded that the revised framework, known as version 82, aligns with GDPR requirements and can be used as a transfer tool, provided data importers commit to binding and enforceable obligations.
Under the approved model, certification alone is not sufficient. Data importers outside the European Economic Area must also sign commitments ensuring compliance with GDPR-equivalent protections, including respect for data subject rights and cooperation with European regulators. Transfers can only begin once certification has been granted.
Legal specialists note that the scheme differs from standard contractual clauses by combining third-party certification with contractual safeguards. This dual structure is intended to provide more granular, entity-specific assurance, although it requires ongoing oversight and periodic audits.
The criteria impose detailed requirements on participating organisations, including conducting transfer impact assessments, appointing a data protection officer, and demonstrating compliance with core GDPR principles such as purpose limitation and data minimisation. Organisations must also suspend transfers if they can no longer meet the certification standards.
The EDPB confirmed that the scheme will be added to its public register of certification mechanisms, making the criteria accessible across all member states. The board also reiterated that certification remains voluntary and does not limit regulators’ enforcement powers.
The development comes as companies continue to face scrutiny over cross-border data practices following the Schrems II ruling in 2020. With more than 4.2 billion euros in GDPR-related fines issued since 2018, the introduction of an additional compliance mechanism is expected to be closely watched by industries reliant on global data flows.
.jpeg "Apple CEO Tim Cook to step down in September, hand control to John Ternus")
