Keypoint: The EDPB’s much-anticipated recommendations will help companies identify the supplementary measures they need to put into place to comply with the CJEU’s Schrems II decision.

Today, the European Data Protection Board (EDPB) announced that it has adopted recommendations on measures that supplement cross-border data transfer tools and recommendations on the European Essential Guarantees for surveillance measures. The recommendations – which are not yet publicly available – were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. Once available, the recommendations will be submitted for public consultation. As is customary, the recommendations are subject to legal, linguistic and formatting checks prior to being published on the EDPB’s website.

The EDPB’s press release does not detail what supplementary measures are recommended. However, it states that the recommendations contain a “roadmap of steps data exporters must take to find out if they need to put in place supplementary measures” and, if so, to “help them identify those that could be effective.” The recommendations “also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective.”

The EDPB emphasized that data exporters are responsible for making a “concrete assessment” of the transfer, must “proceed with due diligence,” and must “document their process thoroughly.”

As mentioned, the EDPB also issued recommendations on the European Essential Guarantees for surveillance measures. The EDPB refers to those recommendations as “complimentary to the recommendations on supplementary measures.” Those recommendations “provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter and importer rely on.”