European Data Protection Board Issues Recommendations on Supplementary Measures for SCCs in Wake of Schrems II
In follow up to the Court of Justice of the European Union's (CJEU) ruling in Schrems II, the European Data Protection Board (EDPB) has just adopted for public comment draft recommendations for supplementary measures for transferring personal data outside the European Economic Area (EEA). The document, “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,” was adopted on November 10, 2020 to ensure compliance with the EU-level of protection of personal data when such data is transmitted outside the EEA under use of Standard Contractual Clauses (SCCs).
According to a press release issued by the EDPB, as a result of the Schrems II ruling, data controllers that rely on SCCs to effect the transmission of personal data outside the EEA must now verify on a case-by-case basis if the law of the non-EEA country to where the data will be transmitted ensures an adequate level of protection of the personal data that is afforded under EU law. In holding, the CJEU allowed data exporters to add supplementary measures to the SCCs to ensure that adequate protection is afforded to the personal data in compliance with the court’s decision. According to the EDPB, the recommendations “contain a roadmap” of actions data controllers must undertake to determine if they need to implement supplementary measures to the SCCs to lawfully transfer personal data outside the EEA to a third country. The press release states:
The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA.
Recommendations to data exporters include:
- understand all your personal data transfers;
- verify the transfer tool the data transfer relies on;
- assess whether the Article 46 GDPR transfer tool relied upon is effective in light of all circumstances of the transfer;
- adopt supplementary measures if the Article 46 GDPR transfer tool is ineffective;
- undertake procedural steps if effective supplementary measures have been identified; and
- re-evaluate at appropriate intervals.
The recommendations also contain a non-exhaustive list of case specific examples of effective supplementary measures. The recommendations will be submitted for public comment, and will be applicable immediately following their final publication.
Separately, the European Commission has published a draft of revised Standard Contractual Clauses for public comment. Comments for the modified SCCs are due by December 10, 2020 (midnight, Belgium time).
If you have questions or would like further information, please contact Joshua A. Mooney (email@example.com; 215.864.6345) or another member of the Cyber Law and Data Protection Group.