Following the judgement from the Court of Justice of the European Union (CJEU) in the Schrems II case against Facebook, the European Data Protection Board (EDPD) has issued a Frequently Asked Questions (FAQ) document to provide clarification and give preliminary guidance to supervisory authorities and other stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the United States. The EDPB will continue to develop the FAQ as it examines and assesses the judgement of the CJEU.
The ICO has issued a statement as a result of these FAQs, confirming that although further EU guidance is required, organisations should take practical steps at this stage to assess their data transfers in order to be flexible and reactive to further guidance from the EU as and when it unfolds. Given the role of supervisory authorities emphasised in Schrems II, the ICO has also confirmed that it will continue to adopt a "risk-based and proportionate approach".
