Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Board, tasked with overseeing compliance with the GDPR (“EDPB”), on 11 November 2020 issued its anticipated recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling. These recommendations are applicable immediately but are open for public consultation until November 30. Information on submitting public comments is accessible here.
In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program (“Privacy Shield”) and potentially required supplementary protections to be implemented when Standard Contractual Clauses (“SCCs”) are used to ensure an ‘essentially equivalent’ level of data protection. Under the GDPR, personal data transfers outside the EEA to jurisdictions which are not found to provide an ‘adequate level of protection’ to the data, are restricted unless appropriate safeguards are implemented. The Privacy Shield and SCCs were two key appropriate safeguard mechanisms used to legitimize transfers of personal data outside the EEA to ‘non-adequate’ recipient countries, referred to as “Third Countries.”