The European Data Protection Board (EDPB) Finalises Guidance on International Transfers of Personal Data Following Europe’s Top Court’s Schrems II Decision

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP

The guidance outlines how organisations should approach international transfers and confirms examples of supplemental measures that can be adopted to ensure ongoing compliance and seeking to de-mystify earlier uncertainty.


  • In Schrems II, the Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield and emphasised the need to consider “supplementary measures” when transferring data pursuant to Standard Contractual Clauses (SCCs).
  • The EDPB guidance on supplementary measures comes shortly after the European Commission’s decision on new Standard Contractual Clauses (SCCs).
  • This latest EDPB guidance was first published in draft in November 2020. This final guidance sets out a step-by-step process to be followed when transferring data internationally to third countries.

Almost one year ago, the CJEU handed down its landmark judgment in the Schrems II case, shooting down the beleaguered EU-U.S. Privacy Shield. Since then, the international data transfer landscape has undergone significant developments, first with the publication of new SCCs (see Pillsbury analysis here) and now with the EDPB’s finalised guidance on supplemental measures. Businesses should take stock of the current position and review their international data transfer arrangements in light of this guidance.

International data transfers—where are we now?

In order to enable the continued flow of personal data between: (i) the EU and/or UK; and (ii) countries that have not been deemed to provide an “adequate” level of protection of personal data (including the U.S.), many organisations now rely on SCCs. However, while SCCs were not subject to the same fate as Privacy Shield, they did not escape the Schrems II case unscathed.

The CJEU did not invalidate the SCCs but did emphasise that they are not a silver bullet when it comes to international transfers of personal data; in particular, deciding that the underlying transfer that the SCCs apply to must also be assessed. The focus of this assessment is on any inconsistencies between the rights afforded to data subjects under the GDPR (pushed on to the data importer under the SCCs), and conflicting provisions of national laws in the receiving jurisdiction.

Following the Schrems II decision, in November 2020 the EDPB published its draft guidance on supplemental measures to ensure continued protection of personal data when subject to international transfers. Also in November 2020, the European Commission published its draft updated SCCs, which included provisions that were intended to combat the deficiencies identified in Schrems II.

After months of waiting, the finalised version of the new SCCs was published earlier this month, with the finalised EDPB guidance following a few days later.

How does it all fit together?

The new SCCs and the EDPB guidance must be read together. Pursuant to the CJEU’s decision in Schrems II, SCCs continue to constitute a valid transfer protection mechanism, provided supplemental measures are also undertaken where required. Information on the form of these measures is then contained in the EDPB guidance.

The structure of the finalised guidance follows that of the original draft and the key recommendations are the same. The guidance sets out six stages that should be completed to assess the risks related to the transfer. The six stages are as follow:

  1. Identify the transfer (including any onward transfers);
  2. Identify the transfer tool that is relied on (which in most cases will be the SCCs, unless another tool applies (such as Binding Corporate Rules);
  3. Assess whether the transfer tool is effective when considered alongside the national law and practices of the importer;
  4. Adopt supplementary measures where necessary;
  5. Consider whether any further procedural steps are required; and
  6. Re-evaluate at appropriate intervals.

In addition to the guidance itself, Annex 2 includes examples of supplementary measures that can be relied upon in relation to step 4. These include technical measures (such as encryption and pseudonymisation), contractual measures (such as imposing obligations on the receiving party), and organisational measures (such as access controls and need-to-know only access to the data).

The guidance makes specific reference to section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) which will be a key consideration in relation to transfers to the U.S. We are still awaiting a guidance from the UK Information Commissioner’s Office (ICO) on implications of the EDPB guidance in the post-Brexit landscape. The ICO is also due to publish information about updated SCCs for transfers of personal data subject to the UK GDPR.

What steps should I take?

The area of international data transfers has been a key area of regulatory focus so far in 2021. In addition to these latest Schrems II-inspired developments, the EU Commission has just confirmed the adequacy decision for the UK, which came after receiving a unanimous approval vote from EU Member States.

As a result, businesses should review their international data transfer arrangements to ensure they remain compliant in this fast-changing landscape. Undertaking the transfer assessments envisaged by the EDPB guidance should dovetail with the repapering exercise required for any transfers that rely on the old SCCs (the new SCCs in fact reference the need for a transfer assessment).

U.S.-based software service providers should also take note of this latest guidance and prepare responses for the raft of information requests from EU based customers looking to assess the effectiveness of transfer tools in place (especially for any businesses subject to section 702 of FISA).

Crucially, step 6 of the EDPB guidance includes an ongoing obligation on businesses to re-evaluate transfers at appropriate intervals. This re-evaluation should be done pursuant to a documented policy to ensure consistency and compliance with the accountability principle of the GDPR.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Winthrop Shaw Pittman LLP | Attorney Advertising

Written by:

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.