Keypoint: Representatives of the European Commission and EDPB advised that further guidance on cross-borders data transfers are forthcoming.
Last week, Didier Reynders, European Commissioner for Justice, and Dr. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), appeared at a hearing conducted by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and updated committee members on their work since the Schrems II decision.
In his remarks, Mr. Reynders identified three main areas on which the Commission is focusing.
First, the Commission is working with data protection authorities and the EDPB “to build a common understanding of the judgment and to avoid a fragmented approach from one member state to another.”
Second, the Commission is working to modernize the Standard Contractual Clauses, which process started before the Schrems II decision. The revised SCCs will reflect guidance from the Schrems II decision, which “should help companies in their compliance efforts.” Mr. Reynders stated that finalizing work on the SCCs is a “top priority” and that they “intend to launch the adoption process for the new clauses in the coming months and [he hopes] finalize it by the end of this year.”
Third, the Commission is working on negotiating a new framework with the United States. However, he cautioned “there will be no quick fix.”
Mr. Reynders concluded his remarks by stating that “the protection must travel with the data around the world.”
Much later in the hearing, and in response to committee member questions, Mr. Reynders outlined what “modernization” of the SCCs would entail. First, the SCCs need to be updated in light of new requirements of GDPR such as the controller/processor relationship in Article 28 and GDPR’s transparency obligations. The SCCs also need to address data transfers that are not currently covered, including transfers from an EU processor to a non-EU subprocessor. Third, the SCCs need to better reflect the processing activities in the modern digital economy where there are multiple data importers and exporters.
In her remarks, Dr. Jelinek stated that the EDPB is “currently preparing additional support to provide controls and processes with recommendations to assist [organizations] in identifying and implementing appropriate supplementary measures.”
Dr. Jelinek also stated that it was “important to point out” that the Schrems II ruling applied to data transfers to all third countries, not just the United States. Further, the derogations for transfers identified in Article 49 “must be treated as what they are – derogations” and “can only be the exception, not the rule.”
She further stated that, in the coming weeks and months, the EDPB would review existing documents and guidance in light of the Schrems II judgment. The EDPB also will prepare recommendations to controllers to identify appropriate supplementary measures of the “legal, technical and organizational nature.” She was careful to point out, however, that there cannot be a “one-size-fits-all” or “quick fix” solution” and that each organization will need to evaluate its own unique situation.
The day after the hearing, the EDPB announced that it has created a taskforce to “prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.”
In the end, although Mr. Reynders and Dr. Jelinek did not provide insight into the nature of the forthcoming guidance and changes, they did confirm that companies should expect to see developments in the coming months.
The hearing also included comments from Max Schrems as well as committee members. Mr. Schrems and the committee members raised numerous concerns regarding the status of these issues and were passionate that the European legal structure must ensure for the rights of European citizens at home and abroad.