Our Response to Schrems II

Updated: 8 August 2023

CBRE is committed to upholding the data protection and privacy rights of our clients, employees and stakeholders across the globe, wherever we do business. CBRE has responded proactively to the recent changes concerning cross-border data transfers, including those in Europe and China.


Since the “Schrems II” decision by the Court of Justice of the European Union in 2020, we have taken, and continue to take, concerted steps to address the data transfer requirements under changing European privacy laws, including:

  • Conducting a range of Transfer Impact Assessments for transferring data to CBRE locations, including to CBRE, Inc. and its U.S. subsidiaries (“CBRE US”). The Transfer Impact Assessment for CBRE US concluded that such transfers can lawfully continue as they are not subject to disclosure to U.S. intelligence authorities under the U.S. Foreign Intelligence Surveillance Act Section 702 (50 U.S.C. §1881a) (“FISA 702”) or Executive Order 12333.
  • Executive Order 14086, as assessed by the EU Commission in its adequacy decision for the EU-US Data Privacy Framework, has significantly increased the data protection and privacy safeguards for non-US individuals by establishing clear and precise rules as well as necessity and proportionality principles for U.S. intelligence activities, and a new two-tiered redress mechanism, which apply even if CBRE US is not (yet) certified under the new EU-US Data Privacy Framework.
  • Implementing a framework for conducting and undertaking Transfer Impact Assessments on extra-EU/EEA data transfers.
  • Continuing to rely on EU SCCs (as updated) to transfer personal data from the EU/EEA to non-EU/EEA countries and, where indicated by the relevant Transfer Impact Assessment, implementing supplementary measures as recommended by the European Data Protection Board (EDPB) and other EU supervisory authorities.
  • Implementing appropriate safeguards with respect to other European countries that impose transfer requirements, such as adopting the UK Addendum and reflecting the changes required under Swiss law.
  • Supplementing CBRE’s Global Data Privacy Policy to include an “Inadequate Jurisdiction Order Disclosure Standard” according to which CBRE will, among other measures, take all reasonable legal action to challenge and suspend disclosure orders from inadequate third countries and to produce only the minimum data necessary for lawful compliance.
  • Increasing EU/EEA data localization.


To ensure compliance under Cybersecurity and Personal Information Protection laws, including the lawful transfer of Chinese data outside of China, CBRE obtained all relevant Multi-Level Protection Scheme certifications and has implemented the Measures for the Standard Contract for Outbound Transfer of Personal Information by adopting the Cyberspace Administration of China (CAC)-issued Standard Contract and conducting privacy impact assessments for cross-border data transfers.


CBRE employs strong cryptographic technology that is aligned to the latest best practice security standards in accordance with the internationally recognized standards bodies, avoiding encryption algorithms which are known to have weaknesses or exploits. We have a Global Information Security Policy supported by a Data Classification Standard and Cryptography Standards that cover data classifications cryptographic algorithms and encryption use.

  • In transit: CBRE implements protective measures against active and passive attacks on the sending and receiving systems providing transport encryption, such as adequate firewalls, mutual TLS encryption, API authentication, and encryption to protect the gateways and pipelines through which data travels, as well as testing for software vulnerabilities and possible backdoors. We use effective encryption algorithms and parameterization over untrusted networks with Transport Layer Security (TLS) protocol 1.2 or higher, SSH 2 (Secure Shell), IPsec (IP Security).
  • At rest: CBRE also encrypts data at rest appropriate with the data’s classification by employing effective encryption algorithms and parameterization, including Symmetric Key Algorithms - Advanced Encryption Standard (AES) and Triple Data Encryption Standard or Asymmetric Key Algorithms - Rivest, Shamir & Adelman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). CBRE does not allow writing of data to removable media in general. Where such a device is required, a temporary exception is raised and managed throughout its duration. Users who have a legitimate need to use USB storage are provided with an encrypted USB drive for this purpose.

Hashing Functions: The hash functions that are employed include SHA‐2 and SHA‐3 but not obsolete functions such as MD5 and SHA-1.

For further information about CBRE’s approach to cross-border data transfer, please contact CBRE’s Global Data Privacy Office.

Elizabeth Atlee
Chief Ethics & Compliance Officer

Shannon Clark
Global Director and Associate General Counsel – Data Protection & Privacy