On November 10, the European Data Protection Board (EDPB), the European Union’s top data privacy regulator, issued long-awaited guidance setting out a framework for navigating transfers of data out of the European Economic Area (EEA) in light of this July’s landmark ruling from the Court of Justice of the European Union (CJEU) inData Protection Commissioner v. Facebook Ireland and Maximilian Schrems (otherwise known as Schrems II). The EDPB also issued a document describing the “essential guarantees” that must be respected in order to ensure that interference with data subjects’ privacy and data protection rights through surveillance of transferred data does not “go beyond what is necessary and proportionate in a democratic society.” These two documents outline the risk assessment that companies must make on a case-by-case basis (as required by Schrems II) in order to allow transfers of data out of the EEA, while the first also discusses examples of the supplementary measures that companies can employ, together with standard contractual clauses, binding corporate rules or other legal transfer tools recognized by the EU General Data Protection Regulation (GDPR), to ensure that European data subjects receive an essentially equivalent level of privacy and data protection when their data is transferred out of the EEA.
Read more ›