Earlier this year, in Schrems II, the Court of Justice of the EU (CJEU) invalidated the EU-US Privacy Shield. That judgment also cast doubt over the validity of standard contractual clauses (SCCs) as a means by which to transfer personal data outside of the EU, in particular to the United States. Unsurprisingly, this has caused concern within organisations who rely on such transfers as part of their business model.
Data protection requirements, imposed by the GDPR, travel with any personal data whenever it is transmitted outside of the EU. Problems arise when an organisation needs to transfer personal data to a jurisdiction where local laws might undermine these protections. Without some way to manage this potential conflict, it was unclear if organisations’ personal data transfers outside of the EU would be able to continue.
Unfortunately, the CJEU provided no practical guidance for organisations as to how to make international personal data transfers compliant with its ruling and did not provide any safe harbour period before its ruling took effect. In recent days, however, two key efforts have been made to assist organisations meet their post-Schrems II GDPR requirements:
- recommendations have been issued by the European Data Protection Board (EDPB); and
- a revised set of SCCs has been published by the European Commission for consultation.
Recommendations Issued by the EDPB
The EDPB has published a practical roadmap for organisations seeking to transfer personal data internationally in a compliant manner in the wake of Schrems II. This roadmap sets out six recommended steps: