From the Development Laboratory: Schrems II and Detection of Cross-Border Data Transfers

The Court of Justice for the European Union (CJEU) recently issued an opinion (Schrems II) that invalidated the US-EU Privacy Shield. This presents the obvious technical question, “which of my data transfers are to the US?”

For global companies operating in Europe and for EU-based companies, the answer is probably surprising.  It is almost impossible to operate a global business without sending a good chunk of personal data to the US. Some of these transfers are intentional while many others are unwitting, but nevertheless occur because of the huge reliance on third parties and third party code libraries in modular development.

This presents a challenge in terms of detection of the data flows and classification (is it personal data or not?).  We just spent the weekend putting together an add-on for the NT Analyzer tool suite that does exactly that. Now we can take a network traffic capture, or a log file provided by the business, and provide an automated classification of remote host, the company controlling the host, and most importantly for Schrems II, an indication of whether or not the destination server is inside the EU (and if not in the EU, at least whether the destination server is in a jurisdiction that has received an adequacy decision from the EU), or whether the transmission is to a jurisdiction that the EU has not deemed safe for personal data.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the Washington, DC office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig