Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Assessing Cross-Border Data Transfers After Schrems II Ruling

Published September 6, 2020
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as a mechanism to export data. Among other things, the court held that data controllers may use SCCs to transfer data of EU citizens to a data importer based in a jurisdiction which has been deemed to have inadequate data privacy protections only after:

1. Carrying out a review of the national legislation and regulations relating to data privacy and security of the data importer and verifying whether the existing laws and regulations ensure that the contractual promises within the SCCs can be honored by the importer;

2. If the national legislations and regulations are too weak to allow the SCCs to be enforced, then the controller along with the assistance of the data importer will have to establish supplementary measures to enforce the data importer’s obligation to protect the data under the SCCs;

3. If the data controller, the data importer or the relevant Supervisory Authority believes that the contractual protections on the data as per the SCCs cannot be honored by the data importer then the data transfer between the controller and importer should be cancelled and any data already transferred under the SCCs should be deleted by the data importer.

Analyzing Assessments and Additional Safeguards for Cross Border Data Transfers post Schrems-II

Risk Assessments

Upon a close reading of the CJEU’s judgement, it appears that the data controllers and processors should be focusing on the following factors while conducting the obligatory risk assessments under the SCCs:

1. Identity of the data importer:

  • Is the data importer from a regulated industry?
  • Who is the data importer and in which industry do they work?
  • Does the data importer have the capability to refuse public authorities’ requests to hand over transferred data for surveillance needs?
  • Whether the data importer has received surveillance requests in the past and complied with the same for similar sets of data?

The identity of the data importer matters since some data importers might be targeted more by public authorities in comparison to others due to the industry they work in. Moreover, the data importer’s history of compliance with a regulatory regime and it’s capability to challenge requests for surveillance by public authorities can also help assess the risk of exposure to the personal data being transferred.

2. Assessment of the industry-specific regulatory regime of the data importer:

  • What are the powers, roles and performance of the relevant local regulators?
  • What safeguards and redress are available for data subjects under the relevant legal and regulatory regime?

The type of safeguards and redress available to data subjects under a regulatory regime should be analyzed and evaluated in terms of scope, efficacy and enforceability of protections.

3. The nature of the data and the data transfer:

  • What type of data is it?
  • Is it sensitive personal data?
  • For what purpose is the data being transferred?
  • What is the residual risk to the data subject if the transferred data is exposed or surveilled by the public authorities of the importing country?
  • Has the data subject provided (enhanced) informed and free consent to have his/her personal information transferred despite the risk of it being exposed or surveilled by the public authorities of the data importer’s country?

Some data and transfers are inherently more at risk than others to be the subject of surveillance by governments due to national security concerns and/or law enforcement interests in the type of data being transferred. Similarly, the type of data being transferred also matters as sensitive personal data being exposed to surveillance is more harmful to the data subject compared to other data types.

4. The categories of data subjects:

  • Who are the data subjects whose data is being transferred?
  • Do these data subjects have access to judicial/regulatory bodies in the data importer’s country to exercise their rights and challenge the surveillance of their information?

Some data subjects might be at increased risk of surveillance by a country’s public authorities due to their employment or nationality etc. Similarly, some categories of data subjects (i.e EU citizens who have dual nationality as US citizens) will have the enhanced capability to take action to stop or redress any government action which threatens to expose their data while others might not.

5. The nature and scope of surveillance and national security laws of the data importer’s country:

  • Are the surveillance laws of the data importer’s country expansive or limited in their scope?
  • Are surveillance efforts for national security requirements curtailed by the principles of necessity and proportionality?
  • What is the probability that the transferred personal data will be surveilled?

Some jurisdictions have very well structured surveillance laws and the law applies to some specified industries, people, etc. but some jurisdictions have vaguely worded and overbroad surveillance laws. The risk is less if the laws (and their limitations) are well written and understood.

6. Other supplementary measures used by the data importer to protect the data:

  • Does the data importer employ any industry-specific protections to the transferred data?
  • Does the data importer apply any technical or organizational protections to the transferred data?
  • Are there any protections to the transferred data which are in the nature of international commitments by the data importer or the country the data importer is based in?
  • What supplementary measures will be used in the SCC and how effective would they be in protecting the data?

Some data importers can be subject to additional and independent supplemental measures for the protection of the transferred data that are industry-specific or international in nature (via international treaties or obligations). These can reduce the risk of the transferred data being exposed.

Additional Safeguards

The data controller after conducting a holistic assessment of the risk can choose to enact additional safeguards within the SCCs to protect the data and mitigate risk to achieve compliance with the CJEU judgment. Such additional measures may include:

  • technical and organizational (i.e such as heavy grade encryption of the transferred data with the data importer not having access to encryption key at all times),
  • data minimization (i.e reducing data flow to a data importer if they become subject to surveillance requests or the risk of them being issued a surveillance request increases),
  • other contractual measures that can offer some form of control over data importers by data controllers (i.e the data controller exercises total control on the data importer in relation to the imported data),
  • reporting obligation (the data importer is obligated to inform the data controller of data surveillance requests received on the imported data by public authorities),
  • data protection obligation (i.e obligation upon data importer to delete the data or transfer it forward and to challenge data surveillance requests by public authorities before domestic courts).

Conclusion

"Data controllers in the EU should immediately begin to audit their data sharing practices and prepare for the eventual compliance actions by regulators. NOYB - Max Schrems’ data rights organization - has already filed 101 complaints with various Supervisory Authorities against European companies continuing to transfer data to the US after the judgement and the European Data Protection Board has formed a task force for the implementation of the ruling. Since there is no grace period for companies to adapt to the decision, even tomorrow the Supervisory Authorities can knock on EU data exporters’ doors asking for justifications for data transfers being made to US companies."

Thus adoption and enhancement of SCCs with additional measures to mitigate the risks which arise in risk assessments is the only viable step for many companies (at least in the short term) as other solutions such as Binding Corporate Rules (BCRs) are too expensive and solutions such as enhanced consent are not sustainable or viable for systematic transfers. Until further guidance comes from the authorities or the US and EU authorities can clobber together a Privacy Shield 3.0, these steps are required to ensure the billions of dollars worth of transatlantic trade does not come to a grinding halt.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
On-Demand Webinar

Navigating the Impact of “Schrems II” and Cross-Border Data Transfers

Register Now
Michael Morgan

Michael Morgan

US Head Global Privacy & Cybersecurity Practice, McDermott Will & Emery

Srinivas Avasarala

Srinivas Avasarala

Vice President, Product Management, Securiti

Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New