International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.

Why I think so? It stems from a superb article written by the IAPP authors who skilfully and clearly explain (for the first time ever?) how to tackle the issues raised in the CJEU’s decision and to continue data transfer to USA based on supplemented SCC (see the link below).

Just take a deeper look and see how many details of the US laws are taken into account and analysed, based on which practical recommendations are given. At the same time, the CJEU factually introduced the requirement to evaluate legal landscape in every third country that imports data flows.

The above means that the same exercise should be conducted in relation to each third country. In many of them the laws may not even be translated in English and be publicly available, case law may indeed be unclear or even absent. Such analysis will almost definitely require a great deal of time and money amid the absence of grace period. 

Where to get help:

  1. See my short article on how to start with the assessment without spending budget:
  2. See Essential Guarantees Guide ( which can help you analyse surveillance practices in different countries across the globe.
  3. Expect more from me on that issue in the following weeks as we at Carlsberg HQ are launching «Schrems II Working Group» to share thoughts and develop action plan.
  4. Remember that ‘wait and see’ approach is not an option here; complexity is not an excuse for doing nothing in the hope that Supervisory Authority will wait too. 

BCRs and Tetra Pak has just got them approved in Sweden

An extremely interesting development considering the recent Schrems II decision and that Tetra Pak has US operations.

This is a first for the Swedish Data Protection Authority with BCRs. OneTrust has a good summary of the decision, etc., in English. Here is the decision in Swedish.

Now, there is much discussions on the legality of Binding Corporate Rules since Schrems II, after all surveillance in the U.S. is omnipresent, over which we have no control over here in the E.U., but in reality what this decision means is that the we need to be realistic, business must go on.

My take on the transfer of data is to dive into the potential risks to rights and freedoms of the natural person. If there are none, e.g. you are only transferring email address and name of the individual, and maybe they are adding business activities into a log, e.g. financial records. I find it difficult to really force myself to change an established business practice, especially now with coronavirus times, and many businesses are in survival mode, and many close to bankruptcy. If HR data is being transferred then this must change clearly.

I am, even as a privacy professional sceptical of all the fuss and hype there is on blocking all personal data transfers out of the EU to a country such as the U.S. (lacking adequacy decision now with Privacy Shield gone), because of Schrems II.

I guess if I wasn’t a small startup myself, serving small-medium businesses, I would think differently. But if this is all too complex, the SMB will do nothing, they have too much to lose, and when it happens it can go quick, money spent must be prioritised. For the SMB Schrems II is like double-dutch, all this legal speak, it’s out of their boundaries of business operations, and and the Data Protection Authorities get this, and are not normally targeting the small actors selling consulting, car repairs, chickens, or a pair of shoes, they are after the biggies.