In Europe, regulatory scrutiny over data flows from EU member countries to the U.S., U.K. and other non-member jurisdictions is picking up steam. The Schrems II ruling is serving as a primary driver, arming EU data protection authorities (DPAs) with a new platform for enforcing GDPR.
In September of last year, on the heels of Schrems II, the Finnish DPA began sending inquiries to companies about their data transfers to the U.S., and Max Schrems’s watchdog organisation, NOYB has also been active in initiating compliance checks on various companies across Europe. More recently since February, more European DPAs have followed suit, in an effort to actively enforce Schrems II, including the German, Portuguese and French DPAs.
In parallel with enforcement activity, regulatory developments surrounding cross-border data transfers continue to gain momentum since the Schrems II decision was handed down. To date we have seen the invalidation of the Swiss Privacy Shield, new draft Standard Contractual Clauses (SCCs) and growing adequacy talks between the EU and non-member states including South Korea and the U.K.
These developments are adding fuel to an already burning fire. Even before Schrems II as enforcement started gaining momentum, organisations were bracing for an uptick in regulatory activity. In the recent FTI Consulting Resilience Barometer®, a global survey of more than 2,000 corporations, 69% of respondents said regulatory breaches or investigations are spiking now or will in the next six to 12 months. More than one-third said they strongly agree that this regulatory uplift will make business more complicated.
In this climate, a reactive stance is not a viable option. Below are five key considerations for organisations looking to get in front of these risks and bolster compliance around international data flows.
Countless business activities and workflows require the transfer of data across borders. The ability to move data between jurisdictions is a significant factor in maintaining business continuity, but it is also becoming increasingly risky. The effects of Schrems II and the increasing momentum behind GDPR enforcement should not be taken lightly. Taking the time now to reassess existing cross-border data transfer mechanisms is a far better option then facing a regulatory violation down the line.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
Sonia Cheng
Senior Managing Director, FTI Consulting
Renato Fazzone
Senior Managing Director, FTI Consulting
We use cookies to provide the best experience possible. For more information on the cookies we use and the information they store please refer to our privacy policy.