The European Data Protection Board (EDPB), the body responsible for ensuring the consistent application of data protection rules by supervisory authorities (SAs) throughout the European Union, has issued some welcome guidance following the recent CJEU ruling in the Schrems II decision.
In particular, the guidance focuses on the options available to those previously reliant on the EU-US Privacy Shield, and clarifications as to the additional equivalence assessments which will be required for implementing the standard contractual clauses (aka model clauses or SCCs) and binding corporate rules (BCRs).
The full guidance is included below, but here are some stand out highlights:
- No Grace period: The board stated there will be no grace period for the move away from Privacy Shield;
- Equivalence assessment required for SCCs and BCRs: The equivalent protections assessment must be conducted for all GDPR transfer mechanisms, including the SCCs, and BCRs;
- What do supplementary measures look like?: The EDPB is continuing to analyse the Court's judgment to determine what legal, technical or organisational measures will be required, and plans to publish additional guidance.
- Suspension: If following your assessment, taking into account the circumstances of the transfers and any supplementary measures you put in place, you determine surveillance laws continue to impinge on the equivalent protections requirement, the transfers should be suspended.
- Notification requirement to SAs: If you do not suspend the transfers, you must notify your competent supervisory authority.
- SAs will play a role in considering equivalence, including prohibition: Although it is the role of data exporters and importers to conduct the requisite assessments, the SAs will have a key role in enforcing GDPR, and should coordinate prohibitions on transfers to jurisdictions through the EDPB.
- Removing contractual permissions within your supply chain: If your processors, or sub-processes permit transfers to jurisdictions like the US, and your assessment concludes equivalent protections are not maintained, you should revisit and vary those agreements to prohibit such transfers.
The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance.