Lawyer Monthly - November 2021 Edition

The most significant change is that it allows data exporters to make more concrete assessments of whether any problematic law or practice in the country of destination in practice have an impact on the transfer in question. In particular, as part of an overall assessment, which, inter alia, covers use of sub-processors, purposes of processing, categories and format of the personal data and security measures, the parties may take into account the data importers’ documented experiences related to prior instances of requests for disclosure from public authorities, or the absence of such requests. For example, the data exporter may be able to establish a robust assessment of instances of support from third countries if the provider can document that over the last years there have been no instances of requests from public authorities and this is corroborated with publicly available and reliable information. The European Commission adopted new Standard Contractual Clauses (SCC) in June. How do these differ from the SCC used before Schrems? Following the CJEU’s scrutiny of the “old” 75 OCT 2021 | WWW.LAWYER-MONTHLY.COM THOUGHT LEADER - THOMAS OLSEN Contact Thomas Olsen Partner, Simonsen Vogt Wiig Filipstad Brygge 1 Oslo, 252 Norway T: +47 922 56 404 | E: Thomas.Olsen@svw.no Thomas Olsen Thomas Olsen is a partner at SVW whose areas of specialisation include data protection (GDPR), cybersecurity, IT & digitalisation and compliance & risk. He holds a PhD in data protection law and was previously the leader of the Norwegian Bar Association’s committee for ICT and Privacy. Thomas heads SVW's data protection practice, which has been ranked number one in Finansavisen’s 2019, 2020 and 2021 survey of Norwegian lawyers. 2010 SCC adopted under the 1995 Data Protection Directive in the Schrems II case, the European Commission adopted new SCC under the GDPR on 4 June. Not surprisingly, the new SCC provide enhanced protection of personal data, in particular related to the handling of third country government requests to personal data. In line with the EDPB Schrems II recommendations, the parties commit to document and make available their assessments that there is no reason to believe that the laws and practices in the third country of destination prevent the data importer from fulfilling its obligations under the clauses. The greatest innovation, however, is that the new SCC cover four modules to cater for various transfer scenarios. As under the old SCC, they cover controllers-controller and controller- processor transfers. The new SCC also have modules to cover processor-(sub-) processor and processor-controller transfers. This means that for the first time, a processor is able to establish a legal basis for its transfers to its sub- processors or controller customers outside the EEA. It is also important to note that the controller-processor and processor-processor modules fulfil the requirements for a data processing www.svw.no