Practical advice on international data transfers

The 2020 Schrems II court decision and 2021 Brexit raised many questions about international data transfers. Even whether they are still possible! Look no further than here for true ‘hands-on’ legal and technical tips and advice.

Anneleen Van De Meulebroucke (Eubelius) cut through the legal fog with clear and precise definitions of what constitutes a data transfer (e.g. it includes remote access to personal data stored in the EAA area) and what risks are involved. Schrems II boils down to worries about European personal data getting less protection than guaranteed in Europe. The GDPR already discusses safeguards, including decisions about the adequacy of protection provided, standard contractual clauses (new version in draft) and possibly derogations.
Schrems II adds to this the obligation for companies to check whether supplemental measures are necessary, decide which measures will work (do document this process!) and follow up whether the measures are truly effective once in place. How? Learn about the EPDB recommendation on a six ‘step-by-step’ approach, including some pointers about possible supplemental measures. Furthermore, an example of a ‘real life’ case on the use of AWS, brought to French ‘conseil d’état’ for evaluation, is provided.
Some remarks on (future) aspects of international data transfers to the United Kingdom conclude this exquisitely practical presentation.

In an equally practical vein, Bart van Buitenen (Cranium) discussed Post-Schrems II supplementary measures from a technical perspective. Sadly, he can’t but conclude that based on EPDB guidance ‘full compliance for most common cases […] is currently impossible. However, taking no action is not a viable option. Learn about the use cases as discussed in the EPDB guidance, with related tips about measures that work. There is also a quick overview of additional technical measures as suggested in the draft of new standard contractual clauses.
Point of fact is that in the post-Schrems II era data transfers will not cease. A risk-based approach is crucial and Bart van Buitenen shares his experience-based views on measures that can help reduce the risk. Once again a real help.

Clearly, dealing with the fall-out of Schrems II will be a long-term effort. This session of the Privacy Focus Group provides a valuable and practical primer and a concise starting point for acquiring more insight.



Andere blogposts

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.


Deel deze nuttige inhoud met vrienden: