Skip to main content

The Slow Stroll Toward Schrems III? And How NT Analyzer Can Help in the Meantime

By , , and April 12, 2022October 28th, 2022Insights

After more than a year of negotiations, on March 25, 2022, the European Commission and the United States announced an agreement for a new Trans-Atlantic Data Privacy Framework. The new Framework will replace EU-U.S. Privacy Shield, which was invalided by the Court of Justice of the European Union (“CJEU”)’s Schrems II decision in July 2020. Since the Schrems II decision, businesses generally relied on Standard Contractual Clauses (“SCCs”) for trans-Atlantic data transfers.

Under the new Framework, it is expected that participating companies will be able to have data flow both “freely and safely” between them. See Nascent EU/US Trans-Atlantic Data Privacy Framework: some points to note for additional details on the implications.

How NT Analyzer Can Help Now

While there is still uncertainty on the horizon for the yet-to-be-released Framework, we have developed an add-on feature for the NT Analyzer tool suite that enables businesses to assess the risks associated with cross border data transfers. The main questions facing companies at this point are:

  • Do my websites and mobile apps, when used in the EU, transmit data to the US, or other “unsafe” jurisdictions?
  • Is there reason to believe that the transmitted data is caught by the NSA’s “Upstream” or “Downstream” surveillance programs?
  • How should I handle the data transmission for purposes of Schrems II?

Our automated Data Transfer Scanner identifies and sorts Schrems II risk of data flows for further legal handling, including the use of Google Analytics and similar vendors.

What does the scanner do?

  • Identifies high risk data endpoints (in the US and elsewhere)
  • Geolocates the server collecting the data
  • Classifies data endpoints as likely caught (or not) by FISA 702 (Downstream/PRISM)
  • Identifies whether data is suitably encrypted to reasonably protect against NSA “Upstream” capture
  • Ranks sensitivity based on further jurisdictional information about the remote host
  • Risk rates the data endpoint
  • Sorts the data endpoints for further action relative to legal protections

Our scanner covers off at a technical level the type of risk subject to Schrems’s complaints—which is appropriate, since almost every complaint by Schrems is based on network traffic analysis. We anticipate refining this scanner as details of the EU/US Trans-Atlantic Data Privacy Framework come to light.

Stop by the NT Analyzer booth at IAPP Global Privacy Summit 2022 and learn how NT Analyzer can help with your data privacy needs at a technical level. 


Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Wenda Tang

Wenda Tang is a lawyer in the Washington, DC office, where she is part of the Data Protection, Privacy and Cybersecurity practice group. Wenda focuses on drafting and interpreting technology-related contracts, including insertion orders, service provider addendums, DPAs, advertising agreements, and non-disclosure agreements. She also assists clients in complying with data protection and privacy laws, such as the CCPA, GDPR, HIPAA, GLBA, COPPA, CAN-SPAM Act, and TCPA.

More posts by Wenda Tang
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig
Steven Roosa

Author Nicole Sakin

Nicole Sakin is an associate in Norton Rose Fulbright's Information Governance, Privacy and Cybersecurity practice group in the Washington, DC office. Nicole advises clients on compliance with data protection and privacy laws, including COPPA, GLBA, HIPAA, TCPA, VPPA, FTC Act, and CCPA/CPRA and other state privacy laws. Nicole has experience with drafting applicable disclosures, privacy policies, and operational controls, as well as advising clients on building and implementing their privacy compliance programs across all stages of the development lifecycle. She also assists clients with drafting and interpreting technology-related contracts, including insertion orders, service provider addendums, and data protection agreements/addendums.

More posts by Nicole Sakin