Beyond Legal #29: The external counsel who gave the legal answer when the operational one was needed
I gave her the legal answer. What she needed was the operational one. — Carsten A., external counsel
External legal counsel and internal data protection functions are not the same thing. This sounds obvious. In practice, many companies operate as if they are interchangeable — commissioning a legal opinion on a data protection question, receiving a technically accurate answer, and then filing it without ever asking the harder question: does the company have the operational capability to implement what the legal advice describes?
Carsten’s story #
Carsten is a senior partner at a commercial law firm with a well-regarded data protection practice. He is technically excellent — across the GDPR, the ePrivacy Directive, and the evolving landscape of international transfer mechanisms. He is engaged by clients for exactly the kind of complex legal analysis that internal teams often lack the expertise to conduct themselves.
His relationship with the Data Protection Leader at one client — a multinational logistics company operating across twelve EU member states — had always worked the same way. The client identified a legal question. Carsten provided an opinion. The opinion was filed. The client moved on.
The question that eventually exposed the gap was one Carsten had answered correctly: what mechanism was needed to legitimise the transfer of personal data from EU entities to the company’s operations centre in a country without an adequacy decision?
His opinion was clear and accurate: standard contractual clauses under Article 46(2)(c), supplemented by a transfer impact assessment to verify that the destination country’s legal framework did not undermine the protections the SCCs provided, in line with the requirements confirmed by the Schrems II judgment of the Court of Justice of the European Union.
The Data Protection Leader — let’s call her Farida — received the opinion, circulated it to the IT and legal teams, and assumed the implementation would follow. It did not. Two years later, when the Supervisory Authority requested documentation of the transfer mechanism, the SCCs had not been executed, the transfer impact assessment had never been conducted, and the transfers had continued throughout. The legal opinion existed. The operational implementation did not.
What went wrong — and where accountability sat #
Farida had assumed that an accurate legal opinion was the same as a governed process. It was not. The opinion described what needed to happen. Nobody had been made responsible for making it happen. Carsten had not been asked to oversee implementation. The IT team had not been told what SCCs required from a technical standpoint. The procurement team had not been asked to update the vendor agreements.
The Supervisory Authority’s finding was that the controller had transferred personal data to a third country without adequate safeguards for a period of over two years, in breach of Article 46(1) of the GDPR. The existence of a legal opinion describing the correct mechanism was not a mitigating factor — it was, if anything, an aggravating one, because it demonstrated that the company had known what was required and had not implemented it.
Farida was overlooked for promotion. The feedback she received was that she had not demonstrated the ability to translate legal advice into operational outcomes. Carsten’s firm was retained. Nobody asked them why the implementation had not been monitored.
What do GDPR international data transfers actually require beyond standard contractual clauses? #
Under Article 46 of the GDPR, transfers of personal data to third countries without an adequacy decision require appropriate safeguards — most commonly standard contractual clauses approved by the European Commission. But the Schrems II judgment of the CJEU, confirmed in 2020, established that SCCs alone are not sufficient where the law or practices of the destination country may prevent the recipient from fulfilling the obligations the SCCs impose. Controllers must conduct a transfer impact assessment — a documented analysis of the destination country’s legal framework — and implement supplementary measures where necessary. The SCC is the legal instrument. The TIA is the evidence that it works in practice. Without the TIA, the SCC is a template, not a safeguard. Two enforcement decisions demonstrate the cost of treating the legal instrument as the end of the process rather than the start of it. In August 2024, the Dutch Data Protection Authority fined Uber €290 million for transferring the personal data of European drivers — including location data, payment information, and in some cases criminal and medical records — to the US without adequate safeguards after ceasing to use standard contractual clauses in 2021. The fine covered a period during which Uber had no operative transfer mechanism in place. In May 2025, the Irish Data Protection Commission fined TikTok €530 million for transferring EEA user data to China without verifying, guaranteeing, and demonstrating that the personal data was afforded a level of protection essentially equivalent to that guaranteed within the EU — and for providing inaccurate information to the inquiry in the process. In both cases, the companies had legal functions. Both had received advice about transfer requirements. What neither had done was implement and govern those requirements as operational realities.
What should an external counsel’s relationship with a Data Protection Leader look like? #
External counsel provides legal analysis — the identification of what the law requires, the risks of a given approach, and the mechanisms available to address them. The Data Protection Leader translates that analysis into operational implementation — the governance processes, the documented decisions, the cross-functional coordination, and the ongoing monitoring that turns legal advice into demonstrable compliance. Neither can replace the other. External counsel who provides an opinion and considers the matter closed is not providing data protection programme support. A Data Protection Leader who receives an opinion and considers it implemented is not running a data protection programme. The accountability under Article 5(2) — the obligation to demonstrate compliance, not merely intend it — sits with the controller. And demonstrating compliance requires operational implementation that a legal opinion, on its own, cannot provide.
The challenge for today: Identify the last three legal opinions or external advice documents your company received on a data protection question. For each one, find the implementation record — the documented decision, the operational change, the process update. If any of those records do not exist, you have found the gap between your legal advice and your compliance programme.
For more on how governance failures compound, see Beyond Legal #24 on what happens when processor agreements are not treated as working documents, and Beyond Legal #25 on the difference between understanding a requirement and implementing it.
Article references: Article 5(2) (accountability), Article 13(1)(f) (information to data subjects about international transfers and applicable safeguards), Article 44 (general principle for transfers), Article 45 (adequacy decisions), Article 46 (transfers subject to appropriate safeguards), Article 83(5) (fines for transfer violations).
Series: This is post 29 in the Beyond Legal series — 20 roles, 20 days, real consequences. Farida, Carsten and the actual story is fictitious, the two cases are real.
