The move appears to have been prompted, in part, by the landmark ruling in July 2020 from the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.1
In that case, Mr Schrems argued that Facebook Ireland should not be able to transfer his personal data to the United States as he felt that the laws of the United States would not provide adequate protection for his personal data.
Facebook argued that the EU-US Privacy Shield would provide Mr Schrems with adequate protection.
The CJEU held that a case by case assessment is required to determine whether there is adequate protection for personal data as on occasions the ‘Standard Contractual Clauses’, which require the transferee to meet certain GDPR requirements, will not be sufficient.
In addition to the guidelines, the EDPB also issued a document listing the ‘essential guarantees’ that must be respected in order to ensure that interference with data subjects’ privacy and data protection rights through surveillance of transferred data does not ‘go beyond what is necessary and proportionate in a democratic society’.
The practical effect of these recent developments is that data protection is becoming increasingly globalised and organisations cannot simply rely on either the EU-US Privacy Shield, or the ‘Standard Contractual Clauses’ when exporting data from the EU.
The administrative obligations on organisations exporting data out of the EU have been increased significantly as a result of these developments.
Data processors in the EU now need to analyse data transfers on a case by case basis to ensure that, as far as possible, they are adopting practices and procedures in relation to data transfer that will provide a level of protections for the data that is equivalent to the level of protection that the data had in the EU.
If you require assistance please contact Iain Freeman or Lorraine Madden.