European Data Protection Board (EDPB) position
Following the Schrems II decision, on 24 July 2020, the EDPB published a ‘Frequently Asked Questions’ document. The EDPB noted that Schrems II has particular impact on other transfer mechanisms, not only Privacy Shield and SCCs but also, for example, Binding Corporate Rules (BCR). The EDPB issued long-awaited guidance on 11 November 2020 further clarifying the steps required for data exporters to undertake prior to transferring data to a non-EEA jurisdiction – not only the US. The EDPB guidance document also makes it clear that there is no grace period and enforcement would commence right away.
Post-Schrems II: Regulatory grey area
While the Schrems II decision and the subsequent EDPB guidance provided some direction, further analysis and commentary left many organizations still grappling with whether or not they could legally and safely transfer data outside the EU (in particular, to the US) and, if so, what was the correct procedure to follow.
While the EDPB guidance may have been intended to clarify the steps for a permitted data transfer for implementing organizations, when these organizations turn to the SA in each Member State, they may face conflicting interpretations of Schrems II and the EDPB guidance. Multinational organizations face an increased compliance obligation in trying to understand and synthesize the positions of different regulators across the EU, as well as any non-EEA jurisdictions in which they have operations. Given the EDPB guidance stipulated that “the competent supervisory authority is required to suspend or prohibit such a transfer”, there is a significant risk that both data subjects and transferring organizations may experience a fragmented application of European law, where the same transfer could be deemed valid by one SA but not by another.
Following the Schrems II decision, some SAs declared any data transfer to the US to be illegal, and called for caution and minimization of transfers. The European Data Protection Supervisor (EDPS), tasked with safeguarding the EU’s own data protection policies and compliance (pdf), also called on the EU institutions to "to avoid processing activities” that involve transfers of personal data to the US and instructed the EU institutions to complete “a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data.” At the same time, other SAs noted that Schrems II validated the use of SCCs as a transfer mechanism, providing that additional measures were implemented.