The European Data Protection Board (“EDPB”) plans to release further guidance in the coming months on specific steps that companies can take to export personal data from the European Economic Area to locations in the United States following a major shakeup in the law earlier this year.
Although the EDPB issued only initial FAQs shortly after the change, EDPB Chair Andrea Jelinek said on September 23, 2020, “I’m quite sure that the companies should not wait until they are advised differently, because the Court told the companies in its decision, in this ruling, that it’s up to them to decide and to look on a case to case basis on their data processing and transfers.”
ZwillGen shared some of our concrete ideas for addressing the issue in our article Supplementing SCCs To Solve Surveillance Shortfalls.
“We are working as quickly as possible and as thoroughly as possible,” Dr. Jelinek said, indicating that she was hopeful the guidance could be issued within two months but could not commit to a specific timeframe. Her remarks came during a panel discussion that was part of the Data Privacy Conference USA 2020.
The EDPB is preparing its guidance following a July ruling by the Court of Justice of the European Union (“CJEU”) that found the EU-U.S. Privacy Shield framework (“Privacy Shield”) is no longer a valid mechanism for exporting personal data from the European Economic Area (“EEA”) to the United States.
In the ruling, known as Schrems II, the Court found that Standard Contractual Clauses (“SCCs”) can still be used as a mechanism for exporting personal data from the EEA to outside the EEA, but only if the transferred personal data receives a level of protection essentially equivalent to that provided by the GDPR and the EU Charter of Fundamental Rights.
Dr. Jelinek said the new guidance will identify legal, technical, and organizational measures that companies can take to ensure at least some of their transfers meet the “essentially equivalent” standard.