EU: EDPB publishes FAQs on Schrems II judgment, provides practical recommendations for data transfers
The European Data Protection Board ('EDPB') published, on 23 July 2020, its Frequently Asked Questions ('FAQs') on the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the FAQs aim to present answers to some frequently asked questions received by supervisory authorities, and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the CJEU's judgment.
Among the issues addressed in the FAQs, the EDPB clarified that the CJEU's judgment does not provide for a grace period in relation to the invalidation of the EU-US Privacy Shield.
In addition, the EDPB outlined, in relation to the transfer of personal data on the basis of Standard Contractual Clauses ('SCCs'), that whether or not you can transfer personal data on the basis of SCCs will depend on the result of an assessment that must take into account the circumstances of the transfers and the supplementary measures the exporter could put in place. In this regard, the EDPB highlighted that, following such assessment, where the exporter concludes that appropriate safeguards would not be ensured, it is required to suspend or end the transfer of personal data. However, the EDPB clarified that in circumstances where the exporter intends to keep transferring data, it must notify the competent supervisory authority.
Moreover, and in relation to the supplementary measures that data exporters may put in place, the EDPB reiterated that it is currently analysing the CJEU's judgment to determine the kind of supplementary measures that could be provided, whether legal, technical, or organisational, to transfer data to third countries where SCCs or Binding Corporate Rules ('BCRs') will not provide the sufficient level of guarantees on their own.
Furthermore, the EDPB reiterated that it is still possible to transfer data from the EEA to the US on the basis of derogations foreseen in Article 49 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Lastly, the FAQs address, among other things, the potential necessity of re-negotiating controller/processor agreements signed under Article 28 of the GDPR.
You can read the FAQs here.