Lawyer Monthly - November 2021 Edition

Companies should be very cautious in engaging new providers where they are uncertain about compliance with the transfer rules. Simonsen Vogt Wiig Simonsen Vogt Wiig (SVW) is one of the largest Norwegian law firms. With its team of over 180 lawyers, the firm provides full service legal advice to international business clients from its offices in Norway and Singapore. SVW is also ranked number one among Norwegian law firms for being at the “forefront of digitalisation”, according to a customer survey conducted by Prospera. requirements under GDPR art. 28 that the controller shall only use processors providing sufficient guarantees, including with respect to information security, to meet the requirements of the GDPR. Furthermore, if a customer considers entering into an agreement stating that the provider may disclose personal data to third country authorities if required under mandatory law, the Norwegian supervisory authority has signaled that this requires a legal basis for sharing data from the customer to the provider (who could be considered a controller when disclosing data according to mandatory requirements). 77 OCT 2021 | WWW.LAWYER-MONTHLY.COM THOUGHT LEADER - THOMAS OLSEN It remains to be seen whether this stance will be followed up by the supervisory authorities. Nevertheless, it adds to the list of complex assessments that companies are expected to carry out and illustrates some of the uncertainty regarding both transfers and data stored by international cloud providers in the EEA. What advice would you give to companies that rely on international data transfers, and what regulatory developments do you expect to see in this area going forwards? It is important that companies go through their lists of providers and business partners and map data transfers with a view of prioritising these based on the degree of exposure to the new, stricter transfer requirements. We believe the supervisory authorities will allow a reasonable time to implement supplementary measures or to move to alternative providers in relation to existing services. However, companies should be very cautious in engaging new providers where they are uncertain about compliance with the transfer rules. Hopefully the EU and US will succeed in the ongoing negotiations for a transfer agreement to replace Privacy Shield in the coming months. Such an agreement would of course facilitate transfers to the US, although there is a risk that it could face the same fate as its predecessors Safe Harbor and Privacy Shield. Nevertheless, we believe that supervisory authorities will expect to see risk-based assessments as set out in the EDPB recommendations and in the SCC in the foreseeable future, and international data transfers will continue to be perhaps the most complex area of GDPR compliance.