Starting with a good note: The “Schrems II” judgment does not lead to significant negative implications for companies that rely on the derogations the EU General Data Protection Regulation provides for international data transfers through Article 49.

The Court of Justice of the European Union’s judgment stipulates that companies will need to evaluate whether their use of the standard contractual clauses provides sufficient protection in light of any access by the public authorities of the third country to the personal data transferred and the relevant aspects of the legal system of such third country. 

However, the judgment does not indicate that this evaluation of public authorities’ access to personal data is required to rely on the derogations, in part because, unlike other transfer mechanisms, the derogations acknowledge and accept that the legal system of a third country does not provide adequate data protection. More importantly, the derogations do not demand companies implement countermeasures to “raise” the data protection level of the data recipient in the third country (with the exception of the “compelling legitimate interest” derogation in Article 49 (1)(2) of the GDPR).

Click here to read on.

For more on Schrems II, visit our Schrems II Resource Hub.

Note: This is the sixth in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.