Our Response to Schrems II

Updated 2 December 2021

CBRE is committed to respecting and protecting the data protection and privacy rights of our employees, clients and stakeholders in the EU/EEA and globally. Since the issuance of the “Schrems II” decision on 16 July 2020 by the Court of Justice of the European Union (“ECJ”), CBRE has taken, and continues to take, proactive steps to ensure that all data transfers continue lawfully and in full compliance with EU law, including:

  • Conducting a U.S. Transfer Risk Assessment for transfers of personal data to CBRE, Inc. and its U.S. subsidiaries (“CBRE US”).This Transfer Risk Assessment has concluded that such transfers are not subject to disclosure to U.S. intelligence authorities under the U.S. Foreign Intelligence Surveillance Act Section 702 (50 U.S.C. §1881a) (“FISA 702”) or Executive Order 12333 and, consequently, may lawfully continue without supplementary measures as required by the ECJ in Schrems II and the European Data Protection Board.
  • Implementing a framework for conducting Transfer Impact Assessment on all extra-EU/EEA data transfers.
  • Continuing to rely on EU SCCs (as updated) to lawfully transfer personal data from the EU/EEA to non-EU/EEA countries and, where indicated by the relevant Transfer Risk Assessment, implementing supplementary measures as recommended by theEuropean Data Protection Board (EDPB) and other EU supervisory authorities .
  • Encrypting all EU/EEA personal data in transit with Transport Layer Security protocol 1.2 or higher, SSH 2 (Secure Shell), IPSec (IP Security) or S/MIME (Secure Multipurpose Internet Mail Extension) and at rest with Advanced Encryption Standard or Triple Data Encryption Standard and increasing database-level encryption.
  • Supplementing CBRE’s Global Data Privacy Policy to include an Inadequate Jurisdiction Order Disclosure Standard” according to which CBRE will, among other measures, take all reasonable legal action to challenge and suspend disclosure orders from inadequate third countries and to produce only the minimum data necessary for lawful compliance.
  • Implementing a contractually-binding Law Enforcement Data Access Procedure according to which CBRE US will challenge all disclosure demands received from U.S. intelligence authorities where reasonable grounds exist to do so. 
  • Increasing EU/EEA data localization.

CBRE is optimistic that new solutions, such as an enhanced EU-US Privacy Shield Framework, will be found which will allow for the continued free flow of data, so vital to the global economy and international trade relationships, and simultaneously protect and respect individual privacy rights consistent with EU law. For questions about CBRE’s response to the Schrems II decision, please contact CBRE’s Global Data Privacy Office.


Elizabeth Atlee

Chief Ethics & Compliance Officer

Shannon Clark

Global Director and Assistant General Counsel – Data Protection & Privacy