EDPS publishes its strategy for Union institutions’ compliance with “Schrems II” ruling

What is the context of this Strategy?

On July 16 July 2020, the CJEU issued its ruling related to the “Schrems II” case (C-311/18) (the “Schrems II Ruling”) invalidating the EU-US Privacy Shield Framework but also affecting the manner in which EU Standard Contractual Clauses may have to be implemented in the future as a safeguard for extra-EEA data transfers1.

In this context, the EDPS2 published a strategy on 29 October 2020 (the “Strategy”) in order to ensure that the bodies, offices and agencies of European Union Institutions (“EUIs”) comply with the requirements deriving from the Schrems II Ruling. The Strategy’s main goal is therefore to ensure that ongoing and future international transfers as implemented by such EUIs comply with applicable data protection regulations3 as read in light of the Schrems II Ruling.

What is the content of the Strategy?

The Strategy relies on a twofold approach, based on short- and mid-term actions as further detailed below.

As a short-term compliance action:

The EDPS issued an order to EUIs to complete a mapping exercise for identification of ongoing contracts, procedures and any other types of cooperation involving transfers of data. EUIs are then expected to report to the EDPB by 15 November 2020 at the latest on specific risks and gaps they identified during this mapping exercise, in particular by taking into account certain types of transfers which may present a high risk for the rights and freedoms of individuals such as transfers to U.S. entities subject to Section 702 FISA4 or E.O.5 12333, and involving either large-scale processing operations, complex processing operations or the processing of sensitive personal data.

As a medium-term compliance action:

The EDPS will provide guidance and pursue enforcement actions for transfers towards the U.S. or other third countries on a case-by-case basis. In this context, EUIs will be asked to carry out Transfer Impact Assessments (“TIAs”) to identify whether a specific transfer at stake benefits from an equivalent level of protection as provided in the EU/EEA with subsequent reporting to the EDPS based on the outcome of the TIAs.

The EDPS will also contemplate the possibility to perform joint assessments of levels of protection of personal data with other relevant authorities and stakeholders while also cooperating with the EDPB6 on the development of further guidance and recommendations.

This may also interest you :

1 Please read our full comment of the Schrems II case here.
2 European Data Protection Supervisor: the body in charge of ensuring the protection of personal data and privacy throughout all EU institutions.
3 In particular with Chapter V of the (EU) Regulation 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, known as the EUDPR – the equivalent of the General Data Protection Regulation for EUIs.
4 Foreign Intelligence Surveillance Act.
5 Executive Order.
6 European Data Protection Board.