During its plenary session, the EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.
Among the main modifications are: the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge – in practice – on the effectiveness of the Art. 46 GDPR transfer tool; the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.
Regarding the recently published new standard contractual clauses for international transfers by the European Commission, the Recommendations are helpful to check “Local laws and practices affecting compliance with the Clauses” (Clause 14 of the new SCCs) and the possible need to implement supplementary measures.
EDPB Chair Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels. The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area. By clarifying some doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance.”
The full text of the Recommendations is available here: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
The EDPB adopted a letter addressed to EU Institutions on the privacy and data protection aspects of a possible digital euro. In the letter, the EDPB stresses that a very high standard of privacy and data protection is crucial to reinforce the trust of end users and should be considered a distinctive element in the offering of a digital euro, representing a key factor of success. Such concerns should be taken into account from the design stage. In addition, the EDPB recommends that the EU body in charge of the design of the project performs a high-level data protection impact assessment. The EDPB further indicates that it stands ready to provide advice to the ECB or other EU institutions.
Finally, the EDPB designated three representatives to the European Travel Information and Authorisation System’s (ETIAS) Fundamental Rights Guidance Board, which is tasked to evaluate the impact of the processing of applications and will play an important role in ensuring the system’s compliance with fundamental rights, in particular with regard to privacy and personal data protection. The Board will be composed of representatives from FRONTEX, the EDPS, the EDPB and the Fundamental Rights Agency (FRA).
During the plenary, the EDPB also adopted a joint EDPB-EDPS opinion on the draft AI Regulation. A separate press release will be published on this topic later today.
Note to editors:
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.