The judgement from the court declared that the EU-US ‘privacy shield’ data transfer arrangement is invalid.
In the ‘Schrems II’ ruling, the court considered that standard contractual clauses (SCCs) are still valid for the transfer of personal data to data processors established in third countries. However, that is dependent on whether they include mechanisms that make it possible to ensure compliance with the level of data protection equivalent to the GDPR within the EU.
After the ruling, the European Data Protection Board (EDPB) confirmed in responses to FAQs that there is no regulatory ‘grace period’.
The updated guidance from the MRS includes a checklist of key actions for organisations and information on SCCs and supplementary measures.
In an updated statement on the Schrems II ruling, the Information Commissioner’s Office (ICO) said: “Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.”
Source: ResearchLive, 7 augustustus 2020, Katie McQuater