Capstone Chain · M4Module 4 of 6

The Transfer

Sign by quarter-end. Or don't ship at all.

Tuesday 15 September 2026. Pulse's analytics backbone — Quanta Insights, a 40-person Leeds company — has been acquired by a PE roll-up and given 12 weeks' notice of service wind-down.

Tom Reiter (Procurement) has done the replacement search. His recommendation: Sift Analytics, San Francisco-based, 180 employees, self-certified under the EU-US Data Privacy Framework and the UK Extension. Tom needs your sign-off by Friday 25 September to hit quarter-end contract close.

Evgeny Morozov, Sift's UK-facing AE, sends the MSA with a cover note: "Our GDPR addendum references our DPF certification — everything else is standard, should be LGTM."

Page 14 of Sift's sub-processor list names Palisade Compute. Palisade is not DPF-certified. Palisade trains the models.

Learning Objectives

By the end of this module:

Choose the correct Chapter V transfer basis for a US cloud vendor with DPF certification and an uncertified sub-processor.
Design supplementary measures to close sub-processor gaps under Schrems II and the Meta €1.2B precedent.
Apply Art 49 derogations correctly — narrow, exceptional, not a routine workaround.

Incident 1Tue 15 Sep 2026 · 10:30Procurement Room

The MSA

Procurement · Sift MSA pitch

Evgeny Morozov · Sift AE

Forty European customers. AWS us-west-2 primary, us-east-1 failover. DPF self-certified with the US Department of Commerce. Listed on the Data Privacy Framework website this morning.

Tom Reiter · Procurement

LGTM. Please sign by Friday.

Evgeny attaches the standard MSA (38 pages), the GDPR Addendum (11 pages), and Sift's sub-processor list. Your desktop clock reads 10:37. It is Tuesday.

You open the sub-processor list. Page 14: Palisade Compute — California ML-infrastructure vendor. Not DPF-certified. Handles model training.

Chapter V NavigatorTue 15 Sep · 12:10

Chapter V — Basis Triage

Four questions. Mark each answer correct or incorrect. Your reasoning builds the decision framework for the MSA sign-off.

0 of 4 triaged.

Decision 1 of 3Tue 15 Sep · 14:22

The Basis

Three postures. All three touch DPF, SCCs, and TIA. Only one aligns Cerulith's reality with its contract paper.

Question: What transfer basis do you use for the Sift arrangement?

Consequence · +3 Defensibility

The Mapping

Aisha · to Tom

DPF is valid today. It covers Sift's certified activities. I still need a TIA because DPF has scope limits and the Meta decision is a living precedent. Give me to Monday.

Tom

Monday. Not Tuesday.

The EU-US DPF survived the Latombe challenge (3 Sep 2025) at the General Court and remains in force as a valid Art 45 adequacy decision.

EDPB Recommendations 01/2020 require a six-step TIA regardless of transfer tool — "adequacy" reduces the depth of step 3 but does not eliminate the exercise.

Legal Insight

Why This Was Defensible

Art 45 adequacy is the simplest basis but is scope-limited to the activities certified.
The six-step method is the ICO's expected documentation standard.
DUAA's 'not materially lower' test is less demanding than EU's 'essentially equivalent' but still requires the exercise.

Consequence · +1 Defensibility

The Belt-and-Braces

Defensible and thorough — you are over-engineering the transfer paper, which is not a breach. SCCs + Addendum for a DPF-certified flow is allowed but unusual — it adds paper without obvious incremental protection.

Downside: slower contracting, more vendor pushback, less reusable template for the eight vendors Tom has queued.

Legal Insight

Why This Is Mixed

Over-protective in law. Under-optimal in practice.
SCCs + UK Addendum for a DPF-certified flow adds paper without obvious incremental protection.

Consequence · −2 Defensibility

The Signature

Wrong. The Meta €1.2B decision is explicit: controllers must document their analysis of supplementary measures even where they conclude none are needed.

"Adequacy eliminates the TIA" is a procurement-side framing that does not survive ICO scrutiny.

Legal Insight

Why This Was Indefensible

EDPB 01/2020 is sector-neutral — it applies regardless of transfer tool.
Skipping the TIA is the specific pattern the Irish DPC criticised in Meta.

BreatherMon 21 Sep · 09:14Aisha's kitchen

The Sub-processor

Redline · contract · red pen

You've completed the TIA. It is 44 pages. Steps 1–3 confirm what you suspected on Tuesday: DPF covers Sift's certified activities.

Step 4 lands on the problem. Palisade Compute, a California ML-infrastructure vendor, appears on Sift's sub-processor list on page 14. Palisade handles model training, including on training data sets that will include Cerulith's historical Pulse records.

Palisade is not DPF-certified. Sift's confirmation to your follow-up email: "Palisade only sees derived feature vectors, not personal data." You ask for the derivation spec. Sift sends a marketing PDF.

MSA RedlineMon 21 Sep · 15:00

Three Clauses — Mark Each Sub-clause

Mark each sub-clause must-change / nice-to-have / acceptable-as-drafted. Your redline shapes what's on the table in Decision 2.

0 of 9 sub-clauses reviewed.

Decision 2 of 3Tue 22 Sep · 15:00

The Palisade Problem

Evgeny is on the call. He has his DPF certification letter open. He has his legal team on standby. Tom is watching the quarter-end ticking.

Question: How do you handle the Palisade sub-processor gap?

Consequence · +3 Defensibility

The Key Ceremony

MSA redline · signed

Aisha · to Evgeny

For Palisade flows we need SCCs Module C and the UK Addendum. On supplementary measures: controller-held KMS keys, encryption at rest and in transit, and engineering controls such that your training pipeline operates on encrypted tensors — Palisade never sees cleartext.

Evgeny

I'll need to escalate. Give me 48 hours.

Tom

Forty-eight hours keeps us inside the quarter.

Art 46 SCCs + UK Addendum cover non-DPF sub-processor flows. Supplementary measures per EDPB 01/2020 step 4 close the Schrems II / Meta gap.

Legal Insight

Why This Was Defensible

Meta €1.2B is the controlling precedent — SCC-only papering without supplementary measures is insufficient against US surveillance law.
EDPB 01/2020 step 4 lists controller-held keys and engineering-ensured-no-cleartext-access as canonical supplementary measures.
DUAA's 'not materially lower' test is met here.

Consequence · +1 Defensibility

The Vendor Swap

Regulator-clean but commercially expensive. Sift's training pipeline is Palisade-coupled; forcing a swap pushes contract close to Q4 and risks Sift walking. Over-correction: you are choosing the cleanest posture over the correct-enough one.

Legal Insight

Why This Is Mixed

Legally strongest. Commercially the hardest sell.
An experienced DPO reads the room and prefers choice-a unless there's a specific reason Palisade is non-viable.

Consequence · −2 Defensibility

The Assurance

Meta €1.2B is explicit: controller's reliance on processor assurances about "derived features only" without technical verification is insufficient.

This decision becomes Module 6's most prominent exhibit on the transfer front. Sift's marketing PDF is not an audit artefact.

Legal Insight

Why This Was Indefensible

Trust-without-verify is the exact Meta pattern.
The sub-processor assurance letter has no enforceable weight.

Decision 3 of 3Wed 23 Sep · 11:30Oren's chambers · Gray's Inn

The Art 49 Question

Marcus messaged Tom at 08:14: "Can't we just get Art 49 consent from the 730k EU users and skip the SCC drama?"

You've pulled Oren onto the call. He reads EDPB 2/2018 paragraph three. He reads it again.

Question: How do you respond to Marcus?

Consequence · +3 Defensibility

The Line

Chambers · second-opinion call

Oren · external DP counsel

Paragraph three. "Derogations are exceptional and must be interpreted restrictively." Paragraph six. "They cannot become the rule in practice." There is no route through Art 49 for routine analytics transfers.

Aisha · to Marcus

Art 49 is the fire exit. We are not in a fire. We have a reasonable SCC-plus-supplementary-measures basis — we take it.

EDPB Guidelines 2/2018 treat Art 49 as exceptional and restrictive.

Art 49(1)(a) explicit consent requires informed consent including specific disclosure of US surveillance risks — a UX and notice framing that would itself likely breach Art 7 'freely given'.

Legal Insight

Why This Was Defensible

EDPB 2/2018 is the ICO's reference document.
Using SCCs + supplementary measures is the correct Art 46 path for this situation.

Consequence · +1 Defensibility

The Second Opinion

Defensible — a paper trail of external advice is a mitigating factor if things are later reviewed. Cost: 10 days of slip. Contract closes in Q4. Marcus impatient.

Legal Insight

Why This Is Mixed

Not wrong. Not the most efficient use of your own expertise.
The paper trail is useful; the delay is the cost.

Consequence · −2 Defensibility

The Shortcut

EDPB Guidelines 2/2018 reject derogation-as-routine by name.

Art 49(1)(a) consent for the "going forward" cohort creates a two-tier processing regime which itself is Art 5(1)(b) purpose-limitation risk. And the legacy 730k fall outside the posture entirely — an unaddressed transfer breach.

Legal Insight

Why This Was Indefensible

Derogation-shopping is the specific move EDPB 2/2018 closes.
Creates two unresolved compliance problems for the price of one.

Computing

Computing Defensibility…

Summing the three decision impacts.

The Contract That Held

DPF + SCCs for Palisade + supplementary measures + Art 49 line held.

Affected · Data subjects

2.1M end-users' analytics data is processed under documented transfer basis — DPF for Sift-direct, SCC+UK Addendum for Palisade, supplementary measures in engineering. Privacy notice updated within 45 days citing the specific US processing. No user-facing disruption.

Company · Cerulith

Contract closes 28 September — three days after target. Total legal spend £54k. £32k/yr premium accepted. TIA template becomes reusable for Tom's next eight vendors.

Career · Aisha

The TIA is cited as the model in Aisha's IAPP 2027 keynote and referenced in two industry articles.

Next 50 incidents

Tom's vendor queue processes in 6–10 days each using the TIA template. Supplementary-measures playbook written. Engineering now has a "controller-held-keys" pattern for all US processor relationships.

System · Industry

ICO's post-investigation review (Module 6 epilogue) cites Cerulith's Palisade handling as an example of correct supplementary-measures application.

The Contract That Slipped

SCC-everywhere posture. 15 October slip. £28k external advice.

Affected · Data subjects

No user-facing impact. Processing starts 15 October instead of 1 October.

Company · Cerulith

Sift contract renegotiates. Cerulith accepts an SCC-everywhere posture (more expensive, more paper). Oren's second opinion runs £28k.

Career · Aisha

Aisha's procurement reputation takes a minor hit for 'over-engineering.'

Next 50 incidents

Vendor queue slows because SCC-everywhere is the new floor.

System · Industry

Internal review flags the decision as correct-but-over-cautious.

The Contract That Became An Exhibit

Silent processing change. ICO supervisory order. 23-day interruption.

Affected · Data subjects

Silent processing change — 2M users' data flows to Palisade under an assurance Cerulith did not verify. No visible disruption until the ICO investigation opens in December and transfers are paused by supervisory order.

Company · Cerulith

Pulse analytics interrupted for 23 days during the investigation. Rebuilding costs £4.2M. This decision is the primary transfer exhibit in Module 6.

Career · Aisha

Aisha's Art 38 line invoked. Oren's emergency letter becomes part of the defence.

Next 50 incidents

Every active vendor contract is re-papered during Q1 2027.

System · Industry

Cerulith's transfer posture is cited in the ICO's 2027 AI/cloud-transfer annual guidance as a negative example.

Debrief

What M4 Teaches

Key Points

Five things to keep

DPF is a valid basis today but scope-limited to certified orgs/activities.
TIAs are required regardless of transfer tool — adequacy reduces depth, not the exercise.
Meta €1.2B is the controlling precedent on supplementary-measures-by-default.
Art 49 derogations are exceptional. Using them as routine is a specific-named EDPB failure.
DUAA's 'not materially lower' test is UK-only and less demanding than 'essentially equivalent' but still requires the work.

Next module: Six weeks from now, James Okafor will DM you at 16:42 on a Wednesday. The campaign is launching Monday. Legal is cc'd. You will be the only person in the room who's read Recital 47.

Knowledge Check

5 Questions

Five questions on Chapter V, DPF scope, Meta precedent, Art 49 limits, UK IDTA/Addendum.

Module Complete

Module 4 Complete

Defensibility score: — / 9

Quiz: —

Outcome: —

Your result has been recorded. Module 5 unlocked: The Consent Trap.

Return to Course Continue to Module 5 →