Who's Who Legal
Who's Who Legal
New to Who's Who Legal?
New to Who's Who Legal?
Menu
User Menu
New to Who's Who Legal?
Thought Leaders

Thought Leaders

Steven De Schrijver

Steven De Schrijver

AstreaLouizalaan 235 Avenue LouiseBrusselsBelgium1050

Thought Leader

WWL Ranking: Global Elite Thought Leader

WWL says

Steven De Schrijver is “an expert in the field” of data security, demonstrating deep knowledge and experience in the market. He is commended by peers for his “great understanding of his client’s business, which proves indispensable in the area of personal data”.

Questions & Answers

Steven De Schrijver is a partner with the Belgian law firm Astrea. He has 28 years of expertise in a wide range of IT and technology law matters. Steven has been involved in many outsourcing, digital transformation and data protection (now GDPR) compliance projects. He has a passion for artificial intelligence, robotics and drones. He is also considered to be one of Belgium’s top tech M&A lawyers.

Describe your career to date.

I started my career in 1992. Though I wanted to become a competition lawyer, due to client requirements I became a corporate lawyer. By chance all my corporate projects were in the TMT sector. As there was no dedicated technology lawyer in my first firm, all the technology law-related work ended up on my desk. Almost 20 years ago I started to use the competition and trade law resources of my then-law firm (we had lawyers of about 20 different nationalities at our firm in Brussels) to conduct pan-European data protection law programmes. Since then I have focused my career on a broad range of technology law issues, including data protection and privacy issues, and I have built a worldwide network of technology lawyers with whom I cooperate on cross-border client matters on a daily basis. I obtained my CIPP/E Certification two years ago, but whereas some of my partners at Astrea deal with general data protection compliance work, I focus on the high-level data protection issues that technology companies are facing in large projects and transactions.

What inspired you to pursue a legal career?

I think it was my passion for writing. I still attach a lot of importance to drafting legible, to-the-point legal advice and conclusive contracts.

In your opinion, what is the importance of blockchain for the future of data law?

Blockchain is transforming businesses across the world. As a secure, distributed ledger, it helps companies cut out intermediaries and maintain secure records of every transaction at a fraction of the cost of traditional systems.

However, it cannot be denied that it is difficult to reconcile the blockchain technology with the current legal framework – more specifically with the GDPR and other data protection legislation, and sometimes also with consumer protection legislation.

The main issue is that data in a blockchain cannot be modified or deleted, whereas the GDPR gives data subjects the right to rectify or erase their data, and the right to be forgotten. These are concepts that are incompatible with the blockchain concept, as data in a blockchain ledger cannot be modified nor erased. Another important issue is that anyone entitled to write in a blockchain or send data should be considered a data controller under the GDPR. The GDPR places strict onus on data controllers to ensure compliance with its terms and to report any failure to do so. It requires organisations to self-report breaches to data regulators, and imposes hefty fines for those who do not comply. Moreover, questions arise with respect to limited storage periods under the GDPR versus unerasable content in the blockchain, “privacy by design” and “privacy by default”, data export outside the EU, etc. Encryption and permissioned blockchains certainly protect personal data and restrict who can access such data. But as blockchain continues to evolve, privacy must also remain integral to its design.

These are substantial issues that the EU policy dealmakers will have to deal with in the coming years.

How has the role of data lawyers changed since you started practising?

Twenty years ago we were pioneers informing our clients about the applicable national legislations in the different EU member states, trying to obtain the buy-in from management to do a compliance programme, coordinating working with data lawyers in other EU member states and helping to decide which countries had to be prioritised in view of the likelihood of action by the local data protection authority.

Nowadays the clients are much more sophisticated and the technical complexity of the issues is much higher, given the broad scope and extraterritorial application of the GDPR, and the new rights and obligations for all parties involved. It has almost become impossible to advise on legal issues surrounding data protection without close cooperation with consultants specialised in risk assessment and IT security. Given the high fines that can be imposed, data lawyers now play a more important role in the decision-making of the company.

What are the greatest challenges facing data lawyers today? 

One challenge data lawyers and their clients consistently face is how to implement privacy compliance solutions that meet the growing number of local and national requirements demanded of a global privacy programme. There are challenges to building a programme to meet multi-jurisdictional requirements, and then actively demonstrating the business’s effectiveness at meeting those requirements. Privacy programmes often require clients to change their focus from protecting systems and applications to responsibly managing their information assets — and change is never easy. When you couple this with the fact that data often sits on multiple systems across an organisation, implementation of (multi-jurisdictional) privacy programmes can be challenging.

What are the unique demands of dealing with large data sets in your practice?

Managing the legal risks around big data can be challenging. Privacy and data protection laws will apply to the business if the big data set contains any personal data, including sensitive personal data, such as names, addresses, health records, bank details or unique identifiers. Hence, a simple method to conform to all requirements of GDPR is to process only anonymous data. However, the definition of anonymity is not trivial. Even if directly identifiable parameters are removed from a dataset, it might be possible to re-identify single individuals by combining the dataset with other information.

As result of the implementation of the GDPR, businesses seeking to mine big data sets need to take into account “privacy by design” and “privacy by default” and conduct data protection impact assessments. The GDPR also has a wider scope than existing laws, meaning it will capture both data and companies that previously fell outside the remit of the EU’s data protection laws. Such businesses must comply with data processing principles such as data minimisation (eg, through pseudonymisation) and storage limitation, and be mindful of security and governance processes so that the personal data they store or process is secure and protected from misuse and hacking (appropriate technical and organisational measures to ensure a level of security appropriate to the risk may include techniques such as data encryption, access control, physical protection and, again, pseudonymisation). Businesses dealing with big data should also have appropriate privacy compliance processes and standards in place and be open and transparent about how information will be collected, processed and transferred. The GDPR has imposed a greater compliance burden and increased accountability obligations on businesses.

From the above it is clear that big data and the GDPR are not always compatible. For example, big data mining relies on the analysis of large amounts of data, which often contradicts the principle of data minimisation. In addition, in data analysis very often new hypotheses for testing are introduced after the data is collected; however, the data subjects from which the data is collected have initially given consent for a different purpose. Thus, from a legal perspective, data processing should be done – if possible – on anonymised data, otherwise great care must be taken that the GDPR is respected.

How has GDPR influenced the work you have been doing over recent years?

The GDPR is probably the largest shake-up to data privacy in two decades and it has clearly influenced the work of data lawyers over the past few years.

Due to its extraterritorial application, it has a substantial impact on non-EU companies.

Due to advances in computing processing power and AI, much more data is processed and what companies can do with this data is beyond imagination – this is not always compatible with the GDPR.

Under the GDPR, data security breaches must be reported within a tight time frame of 72 hours after first being discovered, meaning that the time to investigate the extent of any damage and put in place mitigation steps is extremely short.

Because of the huge fines, the possibility for direct actions through class action proceedings, and the increasing enforcement actions of the national data protection authorities – not forgetting any reputational impact resulting from any breach of the GDPR – data lawyers are now much closer to the boardroom than they were prior to the GDPR.

What advice would you give to someone starting out as a data lawyer?

If you want to launch a career in privacy law, you should follow the relevant courses. You may want to obtain an IAPP certification as a certified information privacy professional (CIPP). You should look for privacy law opportunities at your workplace, as there should be plenty. You may look for fellowships and/or attend conferences. You also should try to network with reputed privacy lawyers and immerse yourself in the community. Further, you should try to publish some articles. And, finally, you should familiarise yourself with the new technologies and, if you are tech-savvy enough, learn to code which will definitely give you an edge as a data lawyer.

Thought Leaders - Data - Data Privacy & Protection 2020

Q&A

WWL Ranking: Thought Leader

WWL says

Steven De Schrijver is a leading authority on privacy and protection matters, distinguished by peers as a “very skilled and responsive colleague”.

Questions & Answers

Steven De Schrijver is a partner with the Belgian law firm Astrea. He has 28 years of expertise in a wide range of IT and technology law matters. Steven has been involved in many outsourcing, digital transformation, video platform and data protection (now GDPR) compliance projects. He has a passion for artificial intelligence, robotics and drones. He is also considered to be one of Belgium’s top tech M&A lawyers.

How has the market changed since you first started practising?

Over the years, data security has become more important as cyberthreats have also increased. When I started practising, the use of the internet became more widespread and more people began putting their personal information online. Because of this, organised crime entities saw this as a potential source of revenue, and started to steal data from people and governments via the web. While governments and companies put up firewalls and antivirus programs to minimise the risks, hackers created stronger and stronger computer viruses and worms. Over Snowden (2013), Yahoo! (2013-2014), WannaCry (2017), Marriott (2018) and Facebook/Cambridge Analytica (2019), the hacking became more and more complicated. Whereas in the beginning we, as lawyers, were just advising on applicable laws and advertising clients to take the necessary security measures, clients are now better aware of the risks – but it has become more difficult to stay on top of information security in an ever-increasing global world, and you need a whole team of IT and forensic experts when you want to assist your client in case of a cyberattack or data breach.

What qualities make for a successful data security specialist?

As a data security specialist, you need to have an interest in technology, good knowledge of the applicable laws, and the ability to navigate uncertainty and a changing legal landscape. Sometimes you need to be a creative legal mind who can think “outside the box”, and you need to have good communication skills with both external counterparts (regulators) and internal stakeholders. You need to be assertive towards your clients, but also understand their commercial and business issues so that you can help them to set priorities. 

What are some of the challenges posed by representing and advising large technology companies today? 

In times where technology changes rapidly, and new solutions such as artificial intelligence (AI), machine learning and big data are about to further revolutionise the world, lawyers can only be good advisers to their clients if they fully understand the technology they are advising on. A successful technology lawyer should therefore, for example, follow a course on the functioning of AI or its different types. Only then can a technology lawyer provide creative solutions to the legal questions of modern technology, including those on data security. Indeed, some creativity will be needed in many cases, as the law is known to be lagging behind current events and it will not always be able to provide sound solutions.

What currently poses the greatest threat to the data security of individuals and corporations, and how can this threat be addressed? 

Despite many campaigns, the number of people and companies that fall victim to phishing and other online crimes remains high. Governments must continue to invest in sufficient means to combat online criminals. In addition, businesses must ensure that they follow the GDPR’s rule that obliges them to implement appropriate technical and organisational measures to securely process the data of their customers. After all, leaked client data can be an important source of income for online criminals, who sell it on the dark web.

Belgian companies themselves are increasingly becoming the target of cybercrime. In 2019, the number of reported cases with insurance brokers was 194 per cent higher than in 2016. In many cases ransomware is being used, which shuts down the entire IT system of a company until the ransom is paid, which in extreme cases can amount to more than €1 million. It is therefore crucial for businesses to design and respect internal policies and action plans which include procedures on how to deal with various online threats, especially suspicious emails and other phishing methods which are becoming increasingly sophisticated. 

How has Astrea adapted to address the challenges caused by the rise in online fraud?

As with most law firms, Astrea has protected itself by having backups in place of all data on third-party servers, which are well protected; by implementing a firm-wide password policy; by installing antivirus software; and by educating its staff to not click on suspicious links.

Which technology do you see changing the market and creating the most work for your firm in the next five years? 

The rise of AI will certainly confront lawyers with many challenges, as many legal domains have not yet come up with sound solutions to legal questions that it will create. AI can be used to improve data security. Thanks to AI’s ability to automate businesses’ threat prevention, detection and response (eg, algorithms may detect the patterns of a ransomware or malware attack before it enters into a system), it has a significant role to play within a robust cybersecurity strategy. However, just as organisations are using AI for cybersecurity purposes, hackers are using the same technology to test their own malware, with the aim of bypassing even the most advanced strategies. Another thrilling technology is quantum computing, which may provide for advanced encryption methods to secure data, but may also be used again by cybercriminals could to breach securely stored data. Hence, this shows how important it is and will be for businesses to make sure that they are secure against all new technologies, such as quantum computing, which means that they need to constantly re-evaluate and update their data security systems.

What impact could the covid-19 pandemic have on cybersecurity? 

As the president of the European Commission already warned at the end of March, there has been a significant increase of cybercrime as a direct result of the covid-19 pandemic. As millions of people have now moved their activities to the virtual world, whether it is for remote working or online classes, cybercriminals have now gained even more targets than before. It is expected that all sorts of cybercrime (eg, phishing emails, ransomware, malware, etc) will appear more often in the coming months. VPN services in particular may be confronted with increased attacks as they provide a lifeline for the functioning of many businesses. It seems that, more than ever, businesses must consider the importance of solid cybersecurity of their systems to ensure that they continue to function despite the circumstances and remain resilient to online threats, businesses should also keep focusing on (online) training of staff.

Further, it should be noted that some countries have chosen to introduce apps that monitor the location of carriers of the covid-19 virus, and warn others when they get close to such a carrier. But in the Netherlands, for instance, where several apps are being tested, the data of users, including their names and addresses, have been exposed by data leaks. Even in times of crisis, the data security and privacy of individuals must be safeguarded, and such insufficiently tested digital solutions should not be used too hastily.

What has been your greatest achievement to date?

In general I am a person who prefers to be forward-looking, rather than backward-looking. Of course, I am very proud that over the past 28 years I have been able to assist so many foreign and Belgian companies on data-related matters, and been able to cooperate with so many large and boutique law firms on many significant cross-border cases and transactions. However, I think my greatest achievement is that as a young lawyer, I picked a domain that fascinated me, and through hard work, many publications, conference appearances and networking – and of course, great clients – I have become a recognised practitioner who is seen by his peers and clients as a thought leader in this domain.

Thought Leaders - Data - Data Security 2020
WWL Ranking: Thought Leader
Thought Leaders - Data - Information Technology 2020
WWL Ranking: Thought Leader
Thought Leaders - Data - Telecoms & Media 2020
WWL Ranking: Thought Leader

Global Leader

WWL Ranking: Global Elite Thought Leader

WWL says

Steven De Schrijver is a leading authority on privacy and protection matters, distinguished by peers as a “very skilled and responsive colleague”.

Biography

Steven De Schrijver is a partner in the Brussels office of the Belgian law firm Astrea. He has 28 years of experience advising some of the largest Belgian and foreign technology companies, as well as innovative entrepreneurs on complex commercial agreements and projects dealing with new technologies, most of the time with a cross-border element. Steven has been involved in many outsourcing, software and cloud application development, digital transformation and data protection (now GDPR) compliance projects. He has a passion for artificial intelligence, robotics and drones.

Steven is also considered one of the most prominent Belgian tech M&A lawyers, and has used his in-depth knowledge of the tech sector and expertise in technology law matters (privacy, open source) to assist his clients with the acquisition and sale of numerous Belgian software and technology companies.

Steven is the Belgian member of EuroITCounsel, a quality-led circle of independent IT lawyers. He is also a former board member of ITechLaw and a former president of the International Federation of Computer Law Associations. In 2012, 2014, 2017, 2018 and 2019, he was granted the Global Information Technology/Data Lawyer of the Year award by Who’s Who Legal and, in 2012, he received the ILO Client Choice Award in the corporate law category for Belgium.

Steven has been admitted to the Brussels Bar. He holds a juris doctor (1992) and an LLM in business law (1995) from the University of Antwerp and an LLM (1993) from the University of Virginia School of Law. Steven obtained his CIPP/E in 2018.

Data - Data Security 2020

Professional Biography

WWL Ranking: Global Elite Thought Leader

WWL says

Steven De Schrijver is highly respected for his expertise in data security law with sources recognising him as “one of the leading practitioners internationally and locally”.

Biography

Steven De Schrijver is a partner in the Brussels office of the Belgian law firm Astrea. He has 28 years of experience advising some of the largest Belgian and foreign technology companies, as well as innovative entrepreneurs on complex commercial agreements and projects dealing with new technologies, most of the time with a cross-border element. Steven has been involved in many outsourcing, software and cloud application development, digital transformation and data protection (now GDPR) compliance projects. He has a passion for artificial intelligence, robotics and drones.

Steven is also considered one of the most prominent Belgian tech M&A lawyers, and has used his in-depth knowledge of the tech sector and expertise in technology law matters (privacy, open source) to assist his clients with the acquisition and sale of numerous Belgian software and technology companies.

Steven is the Belgian member of EuroITCounsel, a quality-led circle of independent IT lawyers. He is also a former board member of ITechLaw and a former president of the International Federation of Computer Law Associations. In 2012, 2014, 2017, 2018 and 2019, he was granted the Global Information Technology/Data Lawyer of the Year award by Who’s Who Legal and, in 2012, he received the ILO Client Choice Award in the corporate law category for Belgium.

Steven has been admitted to the Brussels Bar. He holds a juris doctor (1992) and an LLM in business law (1995) from the University of Antwerp and an LLM (1993) from the University of Virginia School of Law. Steven obtained his CIPP/E in 2018.

WWL Ranking: Global Elite Thought Leader

WWL says

Steven De Schrijver leads our research as a result of his superb work handling a variety of IT matters, prompting sources to affirm that he is “a very effective operator” and “a super attorney”.

Biography

Steven De Schrijver is a partner in the Brussels office of the Belgian law firm Astrea. He has 28 years of experience advising some of the largest Belgian and foreign technology companies, as well as innovative entrepreneurs on complex commercial agreements and projects dealing with new technologies, most of the time with a cross-border element. Steven has been involved in many outsourcing, software and cloud application development, digital transformation and data protection (now GDPR) compliance projects. He has a passion for artificial intelligence, robotics and drones.

Steven is also considered one of the most prominent Belgian tech M&A lawyers, and has used his in-depth knowledge of the tech sector and expertise in technology law matters (privacy, open source) to assist his clients with the acquisition and sale of numerous Belgian software and technology companies.

Steven is the Belgian member of EuroITCounsel, a quality-led circle of independent IT lawyers. He is also a former board member of ITechLaw and a former president of the International Federation of Computer Law Associations. In 2012, 2014, 2017, 2018 and 2019, he was granted the Global Information Technology/Data Lawyer of the Year award by Who’s Who Legal and, in 2012, he received the ILO Client Choice Award in the corporate law category for Belgium.

Steven has been admitted to the Brussels Bar. He holds a juris doctor (1992) and an LLM in business law (1995) from the University of Antwerp and an LLM (1993) from the University of Virginia School of Law. Steven obtained his CIPP/E in 2018.

Data - Telecoms & Media 2020

Professional Biography

WWL Ranking: Global Elite Thought Leader

WWL says

Steven De Schrijver impresses peers with his “extensive experience and vast knowledge” of mergers and acquisitions in the technology field. One source notes, “He is an absolute pleasure to work with.”

Biography

Steven De Schrijver is a partner in the Brussels office of the Belgian law firm Astrea. He has 28 years of experience advising some of the largest Belgian and foreign technology companies, as well as innovative entrepreneurs on complex commercial agreements and projects dealing with new technologies, most of the time with a cross-border element. Steven has been involved in many outsourcing, software and cloud application development, digital transformation and data protection (now GDPR) compliance projects. He has a passion for artificial intelligence, robotics and drones.

Steven is also considered one of the most prominent Belgian tech M&A lawyers, and has used his in-depth knowledge of the tech sector and expertise in technology law matters (privacy, open source) to assist his clients with the acquisition and sale of numerous Belgian software and technology companies.

Steven is the Belgian member of EuroITCounsel, a quality-led circle of independent IT lawyers. He is also a former board member of ITechLaw and a former president of the International Federation of Computer Law Associations. In 2012, 2014, 2017, 2018 and 2019, he was granted the Global Information Technology/Data Lawyer of the Year award by Who’s Who Legal and, in 2012, he received the ILO Client Choice Award in the corporate law category for Belgium.

Steven has been admitted to the Brussels Bar. He holds a juris doctor (1992) and an LLM in business law (1995) from the University of Antwerp and an LLM (1993) from the University of Virginia School of Law. Steven obtained his CIPP/E in 2018.

Features by Steven De Schrijver


Xaas: the legal implications of the inevitable evolution towards an integrated, service-based business model

Xaas: the legal implications of the inevitable evolution towards an integrated, service-based business model


The Future Is Now: Legal Consequences of Electronic Personality for Autonomous Robots

The Future Is Now: Legal Consequences of Electronic Personality for Autonomous Robots

Awards won by Steven De Schrijver

To view this content please login, or register if you are new to Who's Who Legal
Law Business Research
Law Business Research Ltd
Meridian House, 34-35 Farringdon Street
London EC4A 4HL, UK
© Law Business Research Ltd 1998-2020. All rights reserved.
Company No.: 03281866