In the News

March 25, 2021
Ensure certainty of operations after Schrems II for international digital transformation     The Evolving Enterprise

Ensure certainty of operations after Schrems II for international digital transformation

The European Commission (EC) recently published a draft data adequacy decision for the UK. Does this pave the way for the continued free flow of personal data between the EU to the UK? Unfortunately, no, says Gary LaFever, CEO and general counsel, Anonos.

This is not an inevitable outcome, as the European Data Protection Board (EDPB) and each of the EU member state supervisory authorities still have input. In addition, the European Data Supervisor has already questioned the validity of the EC’s decision.

Simultaneously, enforcement of international data restrictions is getting off the ground in Germany, highlighting the urgent need for companies to comply with new requirements for lawful international data transfers to build efficiency and value in their enterprises via digital transformation.

At the centre of this uncertainty is the July 2020 decision by the Court of Justice of the European Union, known as “Schrems II”, which declared long-standing international data processing practices illegal.

Schrems II

A recent discussion between German Data Protection Authorities (DPAs) sheds light on the next potential steps in the enforcement process; the establishment of a Schrems II Task Force led by DPAs in Hamburg and Berlin.

The former is now set to begin initiating enforcement measures, including conducting random checks on companies to determine whether or not they are compliant with Schrems II requirements related to the flow of data between the US and EU.

Pressure is also coming from NOYB the European Center for Digital Rights, the non-profit privacy organisation founded by Max Schrems. In a questionnaire sent to over 30 companies as part of NOYB’s ‘Opening Pandora’s Box investigation’, very few businesses were able to satisfactorily answer a question about what technical measures they were implementing to ensure personal data sent to the US was not exposed to interception by third parties when in transit.


This level of unpreparedness for Schrems II compliance is echoed by the feedback from a recent webinar attended by 1,100+ C-suite executives from 50+ countries. Over three quarters (83%) of attendees admitted they do not have technical measures in place to satisfy Schrems II requirements for processing EU data in US cloud infrastructure or providing remote access to non-EU / EEA / Equivalency Countries for ‘follow-the-sun’ analytics, AI, ML or other processing.


It is clear from this that there is a disconnect between the level of preparedness among Boards and C-Suite Executive as investigations and enforcement actions start to get underway. But what exactly does the Schrems II ruling mean? And what should businesses be doing now to ensure compliance?

Despite the fact that it invalidated the EU-US Privacy Shield treaty for transatlantic data flows, the Schrems II ruling does not actually represent “new law”, but rather clarifies requirements passed under the GDPR in 2016 regarding the fundamental rights of individual data subjects to be protected when data is in use.

Until now, most organisations have focused on protecting data when at rest or in transit, but that approach is no longer sufficient. Companies found not to be in compliance with Schrems II may therefore not be in compliance with the GDPR generally.

High-risk strategy?

Given we are now nearly eight months on from the Schrems II ruling and the EDPBhas already released preliminary recommendations on how to comply with Schrems II, not taking action is a high-risk strategy. In Germany where random spot checks to assess compliance are now underway, companies with headquarters in or affiliates operating from the country are being urged to make sure they are able to adequately respond to investigations.

Gary LaFever

However, businesses in the UK and elsewhere in Europe that rely on processing EU personal data using US cloud services or accessing EU personal data from outside of the EU must also act now to comply before DPAs in their jurisdictions inevitably start to adopt stricter enforcement measures and initiate investigations.

The finalisation of EDPB guidelines and new Standard Contractual Clauses (SCCs) by the EC are projected to occur near the end of March 2021, leaving companies with few options if they are investigated and found to be non-compliant at this point. It is therefore vital that companies understand the need to implement new technically-enforced “Supplementary Measures” to support SCCs and comply with Schrems II requirements.

Analysis of available technology to support Schrems II compliance can take several months depending on a company’s procurement processes, and there really is no time to waste. As enforcement draws ever nearer, businesses shouldn’t adopt a ‘wait and see’ approach to evaluate events in Germany; the time to act is now.

The author is Gary LaFever, CEO and general counsel, Anonos.

This article originally appeared in THE EVOLVING ENTERPRISE. All trademarks are the property of their respective owners. All rights reserved by the respective owners.