The wave of uncertainty created by the CJEU Schrems II decision had left many opting for a ‘wait and see’ approach to international transfers of personal data. Why revamp all existing processes without further guidance on what will (or not) be compliant, they quite sensibly asked? Last week, both the European Data Protection Board (EDPB) and the EU Commission answered the call by publishing the following documents - albeit not necessarily with the answers organisations had hoped for:
- the EDPB’s draft guidance on supplementary measures for international transfers;
- the EDPB’s guidance on how to assess a country’s surveillance powers; and
- the EU Commission’s draft updated standard contractual clauses for transferring data to non-EEA countries.
Although some of the above are still in draft form, time is fast running out for organisations to bring themselves in line with the Schrems II decision. Our briefing “International transfers of personal data: A way forward?" has details on the steps organisations should take from now on in light of these recent developments. Note that since publication of the briefing, the EDPB has confirmed that the consultation on its guidance on supplementary measures has been extended from 30 November till 21 December.
Organisations would therefore be well advised to start planning, if they haven’t already, for this new regime with its attendant resourcing implications.