Gary LaFever | July 27, 2020

EDPB FAQS: No Grace Period for Schrems II Compliance

The European Data Protection Board (EDPB) issued FAQs on 23 July 2020 [1] that highlight, among other matters:

  • The inability of SCCs to bind governmental authorities of third countries to which data is transferred, as they are only contractual in nature between the exporter and importer.[2]
  • The obligation of both the EU data exporter and the recipient of the data (the “data importer”) to verify, prior to any transfer, that they have measures in place that provide “the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”[3]
  • The obligation of the data exporter to suspend the transfer of data and/or to terminate the contract when SCCs have no supplementary measures and (therefore) do not “ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”[4]
  • The applicability of the Schrems II requirements to other countries as well as to the U.S.[5]
  • The absence of any grace period and the requirement to take prompt action following the Schrems II decision.[6]
  • The illegality of data transfers under the Privacy Shield and the immediate need to find an alternate legal basis or terminate the processing.[7]
  • The need to augment data transfers using SCCs with supplementary measures to ensure that U.S. or other third country laws “do not impinge on the adequate level of protection they guarantee.”[8]
  • The applicability of the Schrems II mandated requirements to all data transfers covered by Binding Corporate Rules (“BCRs”).[9]
  • The EDPB will be assessing the impact of Schrems II on transfer tools other than SCCs and BCRs. In all cases they highlight that the requirement for “appropriate safeguards” in Article 46 GDPR is that of “essential equivalence.”[10]
  • That “consent of the data subject” only serves as a derogation allowing for lawful data transfer when the consent is: (i) explicit; (ii) specific for the particular data transfer or set of transfers; and (iii) informed, particularly as to the possible risks of the transfer.[11]
  • That “necessary for contract” only serves as a derogation allowing for lawful data transfer on an “occasional” basis and when the transfer is objectively necessary for the performance of the contract.[12]
  • That “important reasons of public interest” only serves as a derogation allowing for lawful data transfer if recognized by EU or a Member State law and restricted to specific situations.[13]
  • The need for further analysis before the EDPB can provide guidance on “the kind of supplementary measures that could be provided under Schrems II in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries when SCCs or BCRs do not provide the sufficient level of guarantees on their own.”[14]

THERE ARE ALTERNATIVES to deleting data in the cloud and terminating contracts. To learn more, read article by Magali Feys, Belgian-based Chief Strategist Ethical Data Use: Schrems II and Cloud Computing: Immediate Action Required.

Please feel free to share Magali’s article with colleagues and clients as it introduces www.DataEmbassy.com principles as a means of implementing compliant safeguards to complement SCCs and BCRs for ongoing lawful international data transfer notwithstanding invalidation of the Privacy Shield under Schrems II.


[1] See EDPB FAQs on Schrems II adopted on 23 July 2020 at https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf

[2] See EDPB FAQ #1.

[3] Id.

[4] Id.

[5] See EDPB FAQ #2 and FAQ #9.

[6] See EDPB FAQ #3.

[7] See EDPB FAQ #4.

[8] See EDPB FAQ #5.

[9] See EDPB FAQ #6.

[10] See EDPB FAQ #7.

[11] See EDPB FAQ #8.

[12] Id.

[13] Id.

[14] See EDPB FAQ #10.THERE ARE ALTERNATIVES to deleting data in the cloud. See article by Magali Feys, our Belgian-based Chief Strategist Ethical Data Use, addressing clarification by the EDPB since publication of your article;

Schrems II and Cloud Computing: Immediate Action Required.

Please feel free to share Magali’s article with colleagues and clients as it introduces www.DataEmbassy.com principles as a means of implementing compliant safeguards to complement SCCs and BCRs for ongoing lawful international data transfer notwithstanding invalidation of the Privacy Shield under Schrems II.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS