Cross-border data transfers after Schrems III: what's your actual legal basis right now?

With ongoing challenges to the EU-US Data Privacy Framework and the potential for a Schrems III ruling, organizations relying on adequacy decisions for US data transfers are in a precarious position. Real questions for compliance teams: 1. Are you still using SCCs (Standard Contractual Clauses) with supplementary measures, or have you migrated entirely to the DPF? 2. For UK data transfers post-Brexit — the UK-US data bridge is separate from the EU framework. Are you maintaining dual transfer impact assessments? 3. What supplementary measures are actually defensible: encryption-in-transit only, or end-to-end encryption with keys held by the data exporter? The EDPB recommendations are clear but expensive to implement. 4. If you process health data (special category under GDPR Art. 9) that flows through US-hosted SaaS — what's your Art. 49 derogation strategy if SCCs become invalid again? 5. How are you documenting transfer impact assessments (TIAs) — is a template-based approach sufficient, or do auditors expect per-recipient analysis? The worst outcome is building a compliance program around an adequacy decision that gets struck down. Looking for strategies that survive the next court ruling.