The European Data Protection Board (“EDPB”) published its draft recommendations for organizations transferring personal data to jurisdictions outside of the EU. The core of the EDPB’s draft recommendations indicates that when an organization chooses to use the European Commission’s Standard Contractual Clauses (SCCs) as a mechanism for data transfers to third countries, the organization will have to conduct an assessment of the third country’s laws that affect data protection.
If the assessment indicates that the third country does not provide an essentially equivalent level of protection as the EU, the organization must identify and adopt supplementary contractual, technical, and organizational measures. These measures are aimed at elevating the protection afforded to the data so that it rises to the appropriate level of protection under the EU standards.
The EDPB provides a non-exhaustive list of suggested measures, including encryption as a technical measure if the data recipient located in the third country is exposed only to encrypted data. Overall, the recommendations are expected to introduce significant practical difficulties for many organizations that engage in cross-border transfers of GDPR-governed data, particularly regarding transfers to U.S. cloud service providers.
Shortly after the EDPB issued its draft guidance, the EU Commission published for public comments a draft of an updated version of the SCCs. Once formally adopted by the EU Commission over the next few months, the existing version of the SCCs will be repealed. Organizations will then be given a grace period of up to one year to replace their existing SCCs with the new version.
The EDPB recommendations are open to public comments through December 21, 2020.
CLICK HERE to read Pearl Cohen’s detailed review of the EDPB guidelines.