One of the most interesting aspects of the Schrems II decision is the expectation that data exporters will be able to assess the local law of the importing country. Pre-Schrems II, companies relied on the European Commission to determine if the laws of a country outside the EU offer an adequate level of data protection (under Article 45 GDPR). Now individual companies seem to be expected to make this determination on their own. This is not realistic. To put it bluntly, if the laws were adequate, would the European Commission not have already made an adequacy finding in respect of the country, negating the need for SCCs in the first place? Arguably, the Schrems II assessment could focus on any local law conflict with the SCC requirements, rather than broader equivalence to GDPR. Still, further guidance from the EU Commission, the EDPB and national Supervisory Authorities is essential in this area. A more in-depth look at the Schrems II case from my colleagues can be found in the article in the link below.
controllers seeking to rely on the SCCs should, prior to any transfer of personal data, carry out due diligence to assess whether the local law of the destination country provides a level of protection that is essentially equivalent to that provided under the EU data protection regime. This also involves carrying out an assessment to confirm that the law of the destination country does not impose any obligations on the importer which are contrary to the importer's obligations under the SCCs (for example, they should confirm that the importer, under its local law, will be able to ensure adequate level of protection against access by the public authorities to that data).
