On Friday September 4, 2020, the European Data Protection Board (EDPB), a body consisting of representatives of all the Data Protection Authorities (DPAs) in the European Economic Area, announced that it had formed two new taskforces, following the groundbreaking Schrems II ruling by the Court of Justice of the European Union (CJEU) in July 2020.1 In that judgment, the CJEU held that Standard Contractual Clauses (one of the mechanisms for lawfully transferring personal data from the EU to the U.S. under the General Data Protection Regulation (GDPR)) were in principle valid, but in certain circumstances additional safeguards were required, in particular when transferring data to the U.S. The CJEU also held that relying on the EU-U.S. Privacy Shield was an invalid mechanism for transferring personal data (see here for a more detailed analysis of the Schrems II decision).
The EDPB Announcement states that the first of the two taskforces has been set up to “prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.” The recommendations are eagerly awaited as stakeholders have been considering what additional safeguards, on a practical level, could be implemented in order to comply with the CJEU’s ruling. It is expected that the recommendations will develop and compliment the FAQ document, adopted by the EDPB on July 23, 2020, which provides initial clarification on the use of legal instruments for the transfer of personal data to third countries, including to the U.S.
The second of the two taskforces has been set up to process and uniformly respond to a set of specific complaints received by DPAs, following the Schrems II judgment. By way of background, on August 17, 2020, 101 identical individual complaints were filed by ‘None of Your Business’, a non-governmental organization founded by Max Schrems, which alleges that Google and Facebook’s reliance on the EU-U.S. Privacy Shield or Standard Contractual Clauses is now unlawful, following the Schrems II decision. The new taskforce is expected to “analyze the matter and ensure a close cooperation among the members of the [EDPB].”
The German federal DPA (the ‘BfDI’) has published a press release stating that it supports the formation of the two new taskforces. In particular, the BfDI notes that the first taskforce was set up on the joint initiative of Germany and France, and will develop criteria for assessing individual data transfers and additional data transfer measures, as well as suggesting procedural steps for the implementation of such measures. In relation to the second taskforce, the BfDI notes that the EDPB is sending a strong signal with the taskforce, and that “[t]he crucial question of whether these Google and Facebook services comply with European data protection law can now finally be answered uniformly across Europe.”
The EDPB has not given any indication as to the timeframe in which either taskforce will publish its recommendations. However, Andrea Jelinek, the EDPB’s chair, cautioned that there would be no “one-size-fits-all, quick fix solution” to the implications raised by the Schrems II ruling, and emphasized that “[e]ach organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”
Finally, the EDPB Announcement also indicates that the EDPB has published, and is seeking feedback on, draft Guidelines on the concepts of “controllers” and “processor” in the GDPR and draft Guidelines on the targeting of social media users. The consultation process relating to both sets of draft Guidelines is expected to end on October 19, 2020. Our update in relation to those Guidelines will follow in due course.