On 10 November 2020, the European Data Protection Board (EDPB) adopted recommendation 01/2020 that is designed to help controllers and processers exporting data in EU private entities or public authorities to third countries act in compliance with the CJEU’s Schrems II judgment (--> eucrim 2/2020, 98-99).

The CJEU stated that it is above all, for data exporters in the EU to verify, on a case-by-case basis and, where appropriate, in collaboration with the importer of the data, whether the law of the third country of destination ensures an essentially equivalent level of protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, supplementary measures to those offered by those clauses. However, the CJEU did not further define how the assessment should be carried out and which supplementary measures are to be identified.

The EDPB recommendation includes a roadmap of the steps data exporters must take to determine if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law. Furthermore, examples of supplementary measures and some of the conditions they would require to be effective as well as the sources of information to asses a third country are given. The roadmap includes the following steps to be taken:

• Knowledge of transfer, which means that all transfers of personal data to third countries should be mapped;
• Verification of transfer tools pursuant to Arts. 45, 46, 49 GDPR;
• Assessment of whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools data exporters are relying on, in the context of the specific data transfer;
• Identification and adoption of supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence;
• Taking of formal procedural steps the adoption of supplementary measures may require;
• Re-evaluation of the level of protection afforded to the data transferred to third countries at appropriate intervals.

The EDPB stresses that the data protection supervisory authorities can be consulted to support the implementation of supplementary measures. They will also monitor whether data transfers to third countries are allowed and ensure further consistency with the EU data protection law in light of the Schrems II judgment. The recommendations may be further developed following a public consultation that ran until 21 December 2020. As for transfers of personal data carried out between public bodies, the EDPB point out its specific guidance in the Guidelines 2/2020 “on Articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies”, adopted in February 2020. For supporting the assessment of the level of interference when it comes to surveillance measures by third countries’ security and law enforcement authorities, the EDPB issued Recommendation 02/2020 (also adopted on 10 November 2020 --> separate news item).

In the aftermath of the Schrems II judgment of 16 July 2020, NGOs and public bodies worked on several guidelines that are to ensure compliance with the CJEU’s lines of argument (--> related link). This includes a compliance strategy paper for EU institutions issued by the EDPS who also supported the preparation of the EDPB guidelines. The challenges and consequences of the Schrems II judgment were also at the centre of the 48th meeting between the EDPS and the network of data protection officers (DPOs) of the 68 EU institutions and bodies on 11 December 2020. Discussions dealt for example with the practical consequences for existing and new contracts, the ways to conduct Transfer Impact Assessments (TIAs), and the margin of manoeuvre with regard to the use of derogations or supplementary measures. EDPS Wojciech Wiewiórowski reiterated that implementation of the Schrems II judgment is a complex task and necessitates joint efforts by all data controllers in the EU institutions and bodies.