Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

International data transfers in the post-Schrems II reality

By Todd Daubert, Simon Elliott, Marc Elshof, Nick Graham, Tatiana Kruse, Giangiacomo Olivi, and Christian Schefold
February 17, 2021
  • Data Transfers
  • Europe
  • United Kingdom
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Dentons’ Privacy Community met on 3 February to discuss how to tackle data transfers from the EU and UK to third countries following the CJEU’s decision in the Schrems II case, the European Data Protection Board’s subsequent guidance, and the European Commission’s draft replacement Standard Contractual Clauses (SCCs). Here are the key takeaways:   

  • The general picture: When exporting data to third countries based on the SCCs, or Binding Corporate Rules, data exporters must conduct an adequacy assessment (based on their data flows) and, to address any gaps, put in place supplementary measures to bolster the SCCs.
  • The market approach to compliance is generally driven by a desire to comply with the ruling, although how this will be achieved depends on what type of organisation you are. For example, cloud service providers who import data to third countries are under pressure to reassure customers as regards handling requests from state agencies to disclose personal information, and some have proactively prepared statements about their supplementary measures.
  • Most businesses are still in the planning phase of their effort to comply, or are in the process of mapping their data flows. This is generally due to an absence of definitive regulatory guidance. Organisations with comprehensive and up-to-date data maps (in their article 30 records) will find this process easiest!
  • We are expecting a final decision on the EDPB’s supplementary measures guidelines in April. The market is keen to see a settled regulatory approach, and is generally hesitant to commit to implementing measures until this is confirmed. Once the guidelines have been finalised, we are also expecting national regulators to articulate what they think compliance with Schrems II looks like in practice – in particular, how to assess and address risk of use of the data by state agencies. In the meantime, it is worth keeping an eye on the German state regulators (all 16 of them), who have been proactive in trying to work through the issues raised by the ruling.
  • As market practice evolves, organisations should prioritise an approach built on accountability (documenting transfer impact assessments) and diligent data mapping. The regulators might not expect perfection at this stage, not least given the complexity of conducting local law assessments in practice (one of the elements raised in the Schrems II judgment and the EDPB guidance) (… the European Commission takes years to reach its own adequacy decisions!).  
  • For transfers to the US, organisations can build an understanding of US surveillance law into their choice of supplementary measures. Recognising the kinds of organisations likely to receive a warrant under the Foreign Intelligence Surveillance Act s.702 in practice, coupled with an understanding of the jurisdiction of these warrants, allows organisations to mitigate the risks of those transfers: removing encryption keys from the jurisdiction of FISA 702 is an example of this. Individuals can be better protected where their information is held within the US, rather than where it is held by a US organisation elsewhere.
  • The new modular SCCs are a welcome development that plug a number of gaps in the existing clauses, but in their draft form pose a number of challenges. In particular, provision for processor-to-processor transfers, as well as reverse transfers, are welcome developments. However, the practicalities of implementing the new clauses within the one-year grace period will prove challenging for organizations with complex data flows, particularly as they grapple with Schrems II compliance in parallel.
Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Todd Daubert

About Todd Daubert

Todd Daubert is a partner in Dentons' Washington, DC, office and chair of the Firm's Communications and Technology sectors. Todd has nearly two decades of experience advising companies that develop, integrate and deploy new technologies in transactional, regulatory, litigation and appellate matters. Leveraging a background in engineering, Todd crafts innovative solutions that help clients, from startups to global players, achieve their strategic objectives and minimize their risks, resulting in improved business results and profitability.

All posts Full bio

Simon Elliott

About Simon Elliott

Simon focuses on advising multinational corporates on a wide range of data protection and technology law issues.

All posts Full bio

Marc Elshof

About Marc Elshof

Marc Elshof is a partner in our Amsterdam office and Co-Head of Europe Data Privacy & Security. He has specialised experience in complex IT and data protection matters.

All posts Full bio

Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

Tatiana Kruse

About Tatiana Kruse

Tatiana is legacy head of the Intellectual Property and Technology and Communications practices and is now Of Counsel in the Firm's London office, having retired from the partnership.

All posts Full bio

Giangiacomo Olivi

About Giangiacomo Olivi

Giangiacomo Olivi is a partner in Dentons’ Milan office, Europe Co-head of the Data Privacy and Cybersecurity group and Europe Co-head of the Media sector group. He is a member of the global Intellectual Property and Technology practice.

All posts Full bio

Christian Schefold

About Christian Schefold

Dr. Christian Schefold, LL.M., is a Partner in the Berlin office of Dentons, a member of the Corporate practice and co-heading the German Compliance practice. He focuses on compliance, corporate and data protection law.

All posts Full bio

RELATED POSTS

  • Cloud Computing
  • Consumer Protection
  • Data Breach
  • Employee Privacy
  • Enforcement
  • Health Information Privacy
  • Marketing, Cookies & Spam
  • Privacy Rights
  • United States

FTC Announces New Guidance on Ransomware

By Peter Stockburger
  • Europe

The slow death of EU forum shopping

By Nick Graham
  • Data Breach
  • Employee Privacy
  • Government Information
  • Privacy Rights
  • United States

DHS Warns Congress On Mobile Device Security

By Peter Stockburger

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site