EDPB guidance following the Schrems II ruling

The European Court decision in the Schrems II case earlier this year left data controllers with a huge headache as much of the legal structure for transatlantic data transfers was left in limbo. Now the European Data Protection Board has adopted recommendations to help organisations deal with international data transfers. There are no easy answers here - as the EDPB explains:

The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective. To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective. 

However, in the end data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability. Moreover, data exporters should know that it may not be possible to implement sufficient supplementary measures in every case. 

The recommendations on the supplementary measures will be submitted to public consultation. They will be applicable immediately following their publication.

The Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data does at least provide a structure to help organisations think through the issues. In summary, this sets out the following steps for data exporters to take:

• know your transfers
• verify the transfer tool your transfer relies on
• assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer
• identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer
• take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on
• re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.

Comments on the Recommendations 01/2020 can be submitted throughout November 2020.