It’s been a busy time for privacy professionals over the past few months and there is no doubt that it’s going to get even busier with the new Schrems II recommendations that were published on November 11, 2020, by the European Data Protection Board (EDPB). With the significant development of the European Data Protection Board releasing their recommendations following the Schrems II decision, privacy experts are staying on their toes. Throughout this blog, we’ll discuss the EDPB’s recommendations.
Watch the Webinar: Schrems II Fallout — Dealing with International Transfers Post Schrems II
A brief synopsis of key points from the Schrems II decision
Two key points that came from the Schrems II decision were the invalidation of the Privacy Shield Program and the primary obligation of data importers and exporters to verify through an assessment, prior to any transfer, the laws of the third country outside of the EU where data is being transferred to.
Neither the court in Scherms II nor the EDPB in its subsequent guidance in July specified in detail what the assessment or the supplementary measures may involve. With the recommendations that were just released the details of what these assessments entail and what should be considered have been revealed.
What are the supplementary measures recommendations for Schrems II?
The first set of recommendations covers the actual assessment and the supplementary measures that data exporters may need to adopt for compliance of an EU level of personal data protection. The key elements of these recommendations consist of six steps that need to be taken by data exporters:
Read the blog: Schrems II Decision: EDPB Publishes Recommendations
Other considerations and thoughts on Schrems II:
One of the overarching concerns that the US government has, according to the white paper the US government issued, is that there needs to be timely and detailed advice. On the US side, part of the frustration is that the Schrems II decision itself doesn’t really examine US surveillance authorities. There is still a disconnect on how it seems that the EDPB looks at how US surveillance authorities work and how those authorities work in practice. There also concerns about the level of work that will be required to be compliant with these guidelines and what that entails for companies today.
Want to learn more about the Schrems II decision? Watch this webinar.