On the 23 July 2020, the European Data Protection Board (EDPB) adopted FAQs on the Schrems II judgment. The FAQs provide answers to questions received by EU data protection authorities (DPAs) and will be developed and complemented by the EDPB in due course.
In brief, the EDPB clarifies:
- No grace period – The Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield with immediate effect. The judgment does not provide any grace period during which companies can keep transferring personal data to the US without assessing the legal basis for the transfer.
- Use of SCCs for EEA-US transfers – US law (i.e. Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data to the US based on the Standard Contractual Clauses (SCCs) will depend on the result of your adequacy assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures, along with SCCs, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.