EDPB Adopts Measures On Post-Schrems II Supplemental Data Transfer Tools

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

Brace yourselves, the post-Schrems II supplemental measures are coming!

The European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the European Union level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.

“The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data,” said EDPB chair Andrea Jelinek

The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with privacy rights.

Details in this EDPB Press Release.

Together with a roadmap for post-Schrems II transfer impact analysis, the new draft EDPB guidelines drop some bitter pills for US-based providers:

No supplementary measures to allow a transfer possible for:
  • Transfer to cloud services providers or processors requiring access to data in the clear
  • Remote access to data for business purposes,- e.g transfers to controller or processor in a third country belonging to the same group of undertakings, or group of enterprises engaged in a joint economic activity for use by importer to provide personnel services for the data exporter, or to communicate with EU customers of the data exporter.
Supplementary measures possible, BUT:
  • U.S.-based provider providing hosting/backup services for an EU provider ⇒ only if you use encryption that cannot be accessed by US public authorities
  • If your services to an EU controller involve the transfer of pseudonymized information ⇒ only with additional information for re-identifying held an “adequate” country and that information services sub-processors don’t change the likelihood of reidentification.

No alternative text description for this image

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide