16 Nov 2020
We reported on 16 July 2020, (US Privacy Shield Broken) that the CJEU had struck down the EU-US Privacy Shield, leading to uncertainty about future exports of personal data to the US and other countries unless it could be shown that they provided a level of data protection equivalent to that of the EU. The judgement left it to data controllers to assess the third party country's adequacy on a case-by-case basis and was not specific on supplementary measures to protect the data if the level of protection was not adequate.
Now the European Data Protection Board (EDPB), made up of EU member state regulators (excluding the UK) has issued guidance that is open for consultation until the end of November.
The guidance is intended to assist controllers and processors in complying with the CJEU’s ruling that ‘data exporters’ seeking to rely on the EU’s Standard Contractual Clauses* must: (1) conduct a risk assessment of the transfer; and (2) if necessary, implement “supplementary measures” to protect the data in the recipient country. However, although future CJEU rulings could make a difference and UK organisations will also need to take into account advice from their own regulator, the ICO.
Thus, where a country does not have a current 'adequacy agreement' (and the USA for example does not), organisations must assess their data exports to that country on a case-by-case basis and take any necessary steps to reduce the risks or not go ahead with exporting personal data.
* Revised SCCs are open for public consultation until 10 December 2020. Adoption requires an opinion of the European Data Protection Board and the European Data Protection Supervisor, followed by a positive vote of EU Member States. Consequently, the final SCCs are not expected to be adopted before early 2021.
Read on for a summary of the Board's suggested 'Six-step Plan' and some examples of Supplementary Measures.