Schrems II: Industry experts warn that SCCs are not enough

Anonos - Lawful Borderless Data

Anonos – Lawful Borderless Data

Schrems II - SCCs are not enough by Anonos

Schrems II – SCCs are not enough by Anonos

BRUSSELS, BELGIUM, March 24, 2021 / — Four industry experts have warned businesses looking to continue with lawful transfers of personal data from EU countries to the US in the wake of Schrems II that reliance on new Standard Contractual Clauses (SCCs) by the European Data Protection Board (EDPB) is not going to be enough alone to ensure compliance.

At a recent webinar hosted by the California Lawyers Association to explore the path forward for the continuance of transatlantic data flows following the invalidation of the EU-US Privacy Shield treaty, four key areas were identified by industry leaders.

1. SCCs – Even New Revised SCCs – Are Not Enough

Privacy Lawyer Christian Hammer, emphasised that the EDPB does not recognise a “risk based” approach to complying with Schrems II and that the situation is NOT “business as usual” because transfers cannot lawfully proceed using SCCs without new Supplementary Measures. This includes processing in the “clear”, which impacts cloud-based service arrangements.

2. New SCCs Impose Joint and Several Liability on Parties

Leo Moore, Partner at William Fry Solicitors, noted numerous matters related to the new revised SCCs. He highlighted that attempts by companies to try to limit their liability will no longer be effective because the new SCCs require joint and several liability without reference to any potential limitations of liability between the parties involved.

3. EDPB Recommends GDPR Pseudonymisation as Technical Supplementary Measure

Gary LaFever, CEO and General Counsel, Anonos, outlined that the EDPB highlights three kinds of Supplementary Measures – Contractual, Organisational and Technical. However, the EDPB notes that only Technical Supplementary Measures are effective against surveillance by foreign governments because controls must travel with the data and when “travelling” remain effective. In the case of third countries, this can only be accomplished using Technical measures because foreign governments are not bound by Contractual or Organisational measures. The EDPB also highlights GDPR-compliant Pseudonymisation as a Technical Supplementary Measure that “travels” with the data to protect it when in use.

4. Contractual Commitments by Cloud Providers to Not Reveal Data Are Unenforceable

Ashley Gorsky of the American Civil Liberties Union, highlighted that in the Schrems II court ruling there was a specific focus on Section 702 of the US Foreign Intelligence Surveillance Act (FISA), which applies when the US government conducts surveillance inside the US, and Executive Order 12,333 (EO 12333), which applies when the government operates outside the US. She noted there is no judicial review of surveillance under FISA or EO 12333, and that contractual commitments by US cloud and other technology providers to object to US government surveillance requests are not realistic or likely unenforceable.

Anonos is a leading provider of state-of-the-art data enablement and protection technology, offering a range of technology solutions ( that empower organisations to continue lawful processing of EU data in compliance with Schrems II and other global data sovereignty and localisation laws. For more information, join the Schrems II Linkedin Group with 4,800+ members at:

Liberty Communications
on behalf of Anonos
email us here

Related posts