Data transfers after Schrems II: Reflections from the Asia Pacific
Clarisse Girot of the Asian Business Law Institute, Mark Parsons of Hogan Lovells and Olga Ganopolsky of Macquarie Group discuss practical issues and geopolitical sensitivities.
The decision of the Court of Justice of the European Union (CJEU) in Schrems and Facebook Ireland v Data Protection Commissioner(1) (Schrems II) concerns the interpretation of the GDPR as a matter of EU law, but the implications of this ruling are global in their dimensions.
Until now, the consequences of the decision have mostly been analysed in a transatlantic context, in the wake of the annulment of the EU-US Privacy Shield. yet the ruling is very significant for APAC-based organisations with a direct or indirect EU link. In many cases, the organisation will rely on data processing infrastructure in more than one country, meaning that non-EU data privacy regimes, including those in APAC, will apply in cumulation. The decision is also significant for APAC authorities which must now assess its impact on their own data protection and transfer frameworks.