Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

Assessing Cross-Border Data Transfers After Schrems II Ruling

Published September 6, 2020
Author

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as a mechanism to export data. Among other things, the court held that data controllers may use SCCs to transfer data of EU citizens to a data importer based in a jurisdiction which has been deemed to have inadequate data privacy protections only after:

1. Carrying out a review of the national legislation and regulations relating to data privacy and security of the data importer and verifying whether the existing laws and regulations ensure that the contractual promises within the SCCs can be honored by the importer;

2. If the national legislations and regulations are too weak to allow the SCCs to be enforced, then the controller along with the assistance of the data importer will have to establish supplementary measures to enforce the data importer’s obligation to protect the data under the SCCs;

3. If the data controller, the data importer or the relevant Supervisory Authority believes that the contractual protections on the data as per the SCCs cannot be honored by the data importer then the data transfer between the controller and importer should be cancelled and any data already transferred under the SCCs should be deleted by the data importer.

Analyzing Assessments and Additional Safeguards for Cross Border Data Transfers post Schrems-II

Risk Assessments

Upon a close reading of the CJEU’s judgement, it appears that the data controllers and processors should be focusing on the following factors while conducting the obligatory risk assessments under the SCCs:

1. Identity of the data importer:

  • Is the data importer from a regulated industry?
  • Who is the data importer and in which industry do they work?
  • Does the data importer have the capability to refuse public authorities’ requests to hand over transferred data for surveillance needs?
  • Whether the data importer has received surveillance requests in the past and complied with the same for similar sets of data?

The identity of the data importer matters since some data importers might be targeted more by public authorities in comparison to others due to the industry they work in. Moreover, the data importer’s history of compliance with a regulatory regime and it’s capability to challenge requests for surveillance by public authorities can also help assess the risk of exposure to the personal data being transferred.

2. Assessment of the industry-specific regulatory regime of the data importer:

  • What are the powers, roles and performance of the relevant local regulators?
  • What safeguards and redress are available for data subjects under the relevant legal and regulatory regime?

The type of safeguards and redress available to data subjects under a regulatory regime should be analyzed and evaluated in terms of scope, efficacy and enforceability of protections.

3. The nature of the data and the data transfer:

  • What type of data is it?
  • Is it sensitive personal data?
  • For what purpose is the data being transferred?
  • What is the residual risk to the data subject if the transferred data is exposed or surveilled by the public authorities of the importing country?
  • Has the data subject provided (enhanced) informed and free consent to have his/her personal information transferred despite the risk of it being exposed or surveilled by the public authorities of the data importer’s country?

Some data and transfers are inherently more at risk than others to be the subject of surveillance by governments due to national security concerns and/or law enforcement interests in the type of data being transferred. Similarly, the type of data being transferred also matters as sensitive personal data being exposed to surveillance is more harmful to the data subject compared to other data types.

4. The categories of data subjects:

  • Who are the data subjects whose data is being transferred?
  • Do these data subjects have access to judicial/regulatory bodies in the data importer’s country to exercise their rights and challenge the surveillance of their information?

Some data subjects might be at increased risk of surveillance by a country’s public authorities due to their employment or nationality etc. Similarly, some categories of data subjects (i.e EU citizens who have dual nationality as US citizens) will have the enhanced capability to take action to stop or redress any government action which threatens to expose their data while others might not.

5. The nature and scope of surveillance and national security laws of the data importer’s country:

  • Are the surveillance laws of the data importer’s country expansive or limited in their scope?
  • Are surveillance efforts for national security requirements curtailed by the principles of necessity and proportionality?
  • What is the probability that the transferred personal data will be surveilled?

Some jurisdictions have very well structured surveillance laws and the law applies to some specified industries, people, etc. but some jurisdictions have vaguely worded and overbroad surveillance laws. The risk is less if the laws (and their limitations) are well written and understood.

6. Other supplementary measures used by the data importer to protect the data:

  • Does the data importer employ any industry-specific protections to the transferred data?
  • Does the data importer apply any technical or organizational protections to the transferred data?
  • Are there any protections to the transferred data which are in the nature of international commitments by the data importer or the country the data importer is based in?
  • What supplementary measures will be used in the SCC and how effective would they be in protecting the data?

Some data importers can be subject to additional and independent supplemental measures for the protection of the transferred data that are industry-specific or international in nature (via international treaties or obligations). These can reduce the risk of the transferred data being exposed.

Additional Safeguards

The data controller after conducting a holistic assessment of the risk can choose to enact additional safeguards within the SCCs to protect the data and mitigate risk to achieve compliance with the CJEU judgment. Such additional measures may include:

  • technical and organizational (i.e such as heavy grade encryption of the transferred data with the data importer not having access to encryption key at all times),
  • data minimization (i.e reducing data flow to a data importer if they become subject to surveillance requests or the risk of them being issued a surveillance request increases),
  • other contractual measures that can offer some form of control over data importers by data controllers (i.e the data controller exercises total control on the data importer in relation to the imported data),
  • reporting obligation (the data importer is obligated to inform the data controller of data surveillance requests received on the imported data by public authorities),
  • data protection obligation (i.e obligation upon data importer to delete the data or transfer it forward and to challenge data surveillance requests by public authorities before domestic courts).

Conclusion

"Data controllers in the EU should immediately begin to audit their data sharing practices and prepare for the eventual compliance actions by regulators. NOYB - Max Schrems’ data rights organization - has already filed 101 complaints with various Supervisory Authorities against European companies continuing to transfer data to the US after the judgement and the European Data Protection Board has formed a task force for the implementation of the ruling. Since there is no grace period for companies to adapt to the decision, even tomorrow the Supervisory Authorities can knock on EU data exporters’ doors asking for justifications for data transfers being made to US companies."

Thus adoption and enhancement of SCCs with additional measures to mitigate the risks which arise in risk assessments is the only viable step for many companies (at least in the short term) as other solutions such as Binding Corporate Rules (BCRs) are too expensive and solutions such as enhanced consent are not sustainable or viable for systematic transfers. Until further guidance comes from the authorities or the US and EU authorities can clobber together a Privacy Shield 3.0, these steps are required to ensure the billions of dollars worth of transatlantic trade does not come to a grinding halt.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

On-Demand Webinar

Navigating the Impact of “Schrems II” and Cross-Border Data Transfers

Register Now
Michael Morgan

Michael Morgan

US Head Global Privacy & Cybersecurity Practice, McDermott Will & Emery

Srinivas Avasarala

Srinivas Avasarala

Vice President, Product Management, Securiti

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View
Spotlight 13:35

The Better Organized We’re from the Beginning, the Easier it is to Use Data

Watch Now View
Spotlight 13:11

Securing GenAI: From SaaS Copilots to Enterprise Applications

Rehan Jalil
Watch Now View
Spotlight 47:02

Navigating Emerging Technologies: AI for Security/Security for AI

Rehan Jalil
Watch Now View

Latest

View More

Accelerating Safe Enterprise AI with Gencore Sync & Databricks

We are delighted to announce new capabilities in Gencore AI to support Databricks' Mosaic AI and Delta Tables! This support enables organizations to selectively...

View More

Building Safe, Enterprise-grade AI with Securiti’s Gencore AI and NVIDIA NIM

Businesses are rapidly adopting generative AI (GenAI) to boost efficiency, productivity, innovation, customer service, and growth. However, IT & AI executives—particularly in highly regulated...

Key Differences from DLP & CNAPP View More

Why DSPM is Critical: Key Differences from DLP & CNAPP

Learn about the critical differences between DSPM vs DLP vs CNAPP and why a unified, data-centric approach is an optimal solution for robust data...

DSPM Trends View More

DSPM in 2025: Key Trends Transforming Data Security

DSPM trends in 2025 provides a quick glance at the challenges, risks, and best practices that can help security leaders evolve their data security...

The Future of Privacy View More

The Future of Privacy: Top Emerging Privacy Trends in 2025

Download the whitepaper to gain insights into the top emerging privacy trends in 2025. Analyze trends and embed necessary measures to stay ahead.

View More

Personalization vs. Privacy: Data Privacy Challenges in Retail

Download the whitepaper to learn about the regulatory landscape and enforcement actions in the retail industry, data privacy challenges, practical recommendations, and how Securiti...

Nigeria's DPA View More

Navigating Nigeria’s DPA: A Step-by-Step Compliance Roadmap

Download the infographic to learn how Nigeria's Data Protection Act (DPA) mapping impacts your organization and compliance strategy.

Decoding Data Retention Requirements Across US State Privacy Laws View More

Decoding Data Retention Requirements Across US State Privacy Laws

Download the infographic to explore data retention requirements across US state privacy laws. Understand key retention requirements and noncompliance penalties.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New