Latham develops new resource to identify considerations for assessing SCC and BCR data transfers in Europe.

By Gail E. Crawford, Fiona M. Maclean, Michael H. Rubin, Serrin Turner, Tim Wybitul, and Ulrich Wuermeling

Following the Schrems II decision in July 2020, organisations relying on the standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs) to transfer personal data outside of the European Economic Area are required to assess whether the law of the destination country ensures adequate protection for the personal data being transferred. Organisations may also need to put in place additional safeguards to ensure an essentially equivalent level of protection. The CJEU indicated that SCCs should not be used if the destination country’s legal regime prevents compliance with their terms or impinges on the level of protection they afford.

Latham & Watkins has produced a Data Transfer Risk Assessment, a practical framework for identifying issues that companies may wish to consider when assessing the level of risk involved in a particular data transfer, based on the SCCs or on BCRs.

The framework can be used to assess transfers to any country outside the EEA, and includes illustrative examples that examine certain issues under US law. Latham is expecting further guidance from the European Data Protection Board on the requirements for this assessment and the additional safeguards that may be appropriate. Latham will continue to update and amend the Data Transfer Risk Assessment as the law and guidance develops.