One of the most interesting aspects of the Schrems II decision is the expectation that data exporters will be able to assess the local law of the importing country. Pre-Schrems II, companies relied on the European Commission to determine if the laws of a country outside the EU offer an adequate level of data protection (under Article 45 GDPR). Now individual companies seem to be expected to make this determination on their own. This is not realistic. To put it bluntly, if the laws were adequate, would the European Commission not have already made an adequacy finding in respect of the country, negating the need for SCCs in the first place? Arguably, the Schrems II assessment could focus on any local law conflict with the SCC requirements, rather than broader equivalence to GDPR. Still, further guidance from the EU Commission, the EDPB and national Supervisory Authorities is essential in this area. A more in-depth look at the Schrems II case from my colleagues can be found in the article in the link below.