CIPL Recommendations for International Transfers Post-Schrems II

Back in July we wrote about the EU Court of Justice’s decision that one of the main methods for compliantly transferring personal data outside of the EEA to the US, commonly known as the “Privacy Shield” was no longer valid (due to the lack of oversight of US security and law enforcement agencies when they access non-US citizens’ personal data).


At the same time, one of the other main methods, known as the Standard Contractual Clauses (“SCCs”), were given a stay of execution, but with strings attached (more on this here). These model clauses, which when entered into, legitimise transfers of personal data outside of the EEA (not just to the US but anywhere), had potentially been up for being declared invalid as well.


On 24th September 2020 the Centre for Information Policy Leadership released a new paper on the Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision. CIPL conducted a survey of its members’ data transfer practices and provided a summary of the survey’s findings, as well as CIPL’s observations.


Highlights include (taken from the summary):


●     ‘The GDPR mechanisms that organizations are relying on or considering for their international transfers post-Schrems II, such as SCCs, Binding Corporate Rules and the derogations under Article 49 of the GDPR.

●     The main factors organizations have identified and that should be considered as part of a risk assessment, such as the nature, sensitivity and volume of data transferred or the likelihood of government access to it.

●     The additional measures organizations are using or considering using to protect transferred data. These may include legal measures, such as the implementation of additional contractual provisions with recipients of personal data along with commitments to challenge government requests for access, or organizational measures, such as relying on a comprehensive Privacy Information Management System or certifications. They may also include technical measures, such as anonymization, pseudonymization or encryption, if relevant.

●     The accountability frameworks and the processes organizations are using to respond to data access requests made by governments, including the policies and procedures organizations are putting in place to review and respond to such requests.’


While the paper does not represent the current standard practices of all organisations it does offer a helpful overview, as well as a toolbox. This is useful in addressing the judgment’s requirements within the context of their particular circumstances and data transfers, as well as selecting ideas best suited to them.


For advice on your obligations in relation to this matter please contact one of our specialists. You can read more articles about data privacy and cybersecurity on our blog.