Dentons’ Privacy Community met on 3 February to discuss how to tackle data transfers from the EU and UK to third countries following the CJEU’s decision in the Schrems II case, the European Data Protection Board’s subsequent guidance, and the European Commission’s draft replacement Standard Contractual Clauses (SCCs). Here are the key takeaways:   

  • The general picture: When exporting data to third countries based on the SCCs, or Binding Corporate Rules, data exporters must conduct an adequacy assessment (based on their data flows) and, to address any gaps, put in place supplementary measures to bolster the SCCs.
  • The market approach to compliance is generally driven by a desire to comply with the ruling, although how this will be achieved depends on what type of organisation you are. For example, cloud service providers who import data to third countries are under pressure to reassure customers as regards handling requests from state agencies to disclose personal information, and some have proactively prepared statements about their supplementary measures.
  • Most businesses are still in the planning phase of their effort to comply, or are in the process of mapping their data flows. This is generally due to an absence of definitive regulatory guidance. Organisations with comprehensive and up-to-date data maps (in their article 30 records) will find this process easiest!
  • We are expecting a final decision on the EDPB’s supplementary measures guidelines in April. The market is keen to see a settled regulatory approach, and is generally hesitant to commit to implementing measures until this is confirmed. Once the guidelines have been finalised, we are also expecting national regulators to articulate what they think compliance with Schrems II looks like in practice – in particular, how to assess and address risk of use of the data by state agencies. In the meantime, it is worth keeping an eye on the German state regulators (all 16 of them), who have been proactive in trying to work through the issues raised by the ruling.
  • As market practice evolves, organisations should prioritise an approach built on accountability (documenting transfer impact assessments) and diligent data mapping. The regulators might not expect perfection at this stage, not least given the complexity of conducting local law assessments in practice (one of the elements raised in the Schrems II judgment and the EDPB guidance) (… the European Commission takes years to reach its own adequacy decisions!).  
  • For transfers to the US, organisations can build an understanding of US surveillance law into their choice of supplementary measures. Recognising the kinds of organisations likely to receive a warrant under the Foreign Intelligence Surveillance Act s.702 in practice, coupled with an understanding of the jurisdiction of these warrants, allows organisations to mitigate the risks of those transfers: removing encryption keys from the jurisdiction of FISA 702 is an example of this. Individuals can be better protected where their information is held within the US, rather than where it is held by a US organisation elsewhere.
  • The new modular SCCs are a welcome development that plug a number of gaps in the existing clauses, but in their draft form pose a number of challenges. In particular, provision for processor-to-processor transfers, as well as reverse transfers, are welcome developments. However, the practicalities of implementing the new clauses within the one-year grace period will prove challenging for organizations with complex data flows, particularly as they grapple with Schrems II compliance in parallel.
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Todd Daubert

About Todd Daubert

Todd Daubert is a partner in Dentons' Washington, DC, office and chair of the Firm's Communications and Technology sectors. Todd has nearly two decades of experience advising companies that develop, integrate and deploy new technologies in transactional, regulatory, litigation and appellate matters. Leveraging a background in engineering, Todd crafts innovative solutions that help clients, from startups to global players, achieve their strategic objectives and minimize their risks, resulting in improved business results and profitability.

Full bio

Simon Elliott

About Simon Elliott

Simon focuses on advising multinational corporates on a wide range of data protection and technology law issues.

Full bio

Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

Full bio

Tatiana Kruse

About Tatiana Kruse

Tatiana is legacy head of the Intellectual Property and Technology and Communications practices and is now Of Counsel in the Firm's London office, having retired from the partnership.

Full bio

Giangiacomo Olivi

About Giangiacomo Olivi

Giangiacomo Olivi is a partner in Dentons’ Milan office, Europe Co-head of the Data Privacy and Cybersecurity group and Europe Co-head of the Media sector group. He is a member of the global Intellectual Property and Technology practice.

Full bio

Christian Schefold

About Christian Schefold

Dr. Christian Schefold, LL.M., is a Partner in the Berlin office of Dentons, a member of the Corporate practice and co-heading the German Compliance practice. He focuses on compliance, corporate and data protection law.

Full bio

RELATED POSTS