The EDPS has published a strategy to monitor compliance with the Schrems II judgment on transfers of personal data to third countries.
On 29 October 2020, the European Data Protection Supervisor (EDPS) published its strategy to monitor compliance with the ‘Schrems II’ judgment of the European Court of Justice by European institutions, bodies, offices, and agencies in relation to transfers of personal data to third countries and, in particular, to the United States.
The position of the EDPS on the Schrems II case
The European Data Protection Supervisor’s stated objective is that “ongoing and future international transfers are carried out in accordance with EU data protection law.”
The Schrems II judgment has far-reaching consequences for all instruments used to transfer personal data from the European Economic Area (EEA) to any third country. Although the European Data Protection Supervisor’s strategy aims to bring all transfers in line with the judgment in the medium term, two priorities have been identified by the EDPS to address in the short term which are the following:
- complete a mapping exercise identifying which on-going contracts, procurement procedures, and other types of cooperation involve transfers of data. These are transfers that do not have a legal basis, transfers that are based on derogations and transfers to private entities towards the U.S. presenting high risks for data subjects; and
- carry out case-by-case Transfer Impact Assessments (TIAs) to identify for the specific transfer at stake whether an essentially equivalent level of protection, as provided in the EU/EEA.
Based on these assessments, which must be carried out with data importers’ support, it will be possible to determine the adequacy of data transfers to the United States and other non-EEA countries.
In the press release issued on 29 October 2020, the European Data Protection Supervisor also stated that “Transfers of personal data by EUIs to third countries should comply with the EU Charter of Fundamental Rights, as well as applicable EU data protection legislation, specifically Chapter V of Regulation (EU) 2018/1725. To this end, the Strategy builds on the cooperation and accountability of controllers to assess whether the essentially equivalent standard of protection, based on the Court’s ruling, is guaranteed when transfers of personal data are made towards third countries.”
Finally, the Strategy clarifies that the European Data Protection Supervisor is working with other supervisory authorities to develop further guidelines and recommendations to assist data controllers and controllers in adopting and implementing appropriate measures to ensure a sufficient level of protection when transferring data to third countries.
The feedback on data transfers after the Schrems II case
The EDPS’s position is in line with the one previously taken by the EDPB. It underscores that the performance of a transfer impact assessment (TIA) of each individual transfer is crucial. We will never be back at the situation where the mere adoption of additional standard contractual clauses will be considered sufficient. Even the forthcoming adoption of the guidelines by the EDPB on the matter will only provide guidance on which additional measures that might be appropriate, but it will not resolve the issue.
In this context, the methodology developed by DLA Piper to assess the adequacy of transfers of personal data to third countries after the Schrems II judgment becomes useful support that has already been appreciated by the main European guarantors. You can learn more about our methodology in this article.
Image credit TeaMeister