Has the EDPB succeeded in creating more clarity for businesses?
Citizens of the European Union (EU) have the right to privacy. To protect this fundamental right, the GDPR provides a wide range of rules and regulations with regard to the processing of personal data. Where personal data are being transferred from the EU to the United States (US), the EU-US Privacy Shield program was supposed to ensure that such data traffic would be handled at an ‘appropriate level of security’. On July 16 2020 however, the Court of Justice of the European Union (CJEU) ruled this arrangement to be inadequate and therefore invalid. Which made it extremely unclear for European businesses to know how to manage their data flows to the US. To resolve the situation, on November 11 2020 the European Data Protection Board (EDPB) issued a set of (draft) guidelines or recommendations for transfers of personal data to third countries. Question is, has this provided the transparency so badly needed? In this whitepaper, we will first outline the legal framework governing the transfer of personal data to third countries. In doing so, we will explore the situations in which controllers are allowed or not allowed to forward personal data to countries outside the EU. Next, as the issue at hand has been specifically impacted by two CJEU rulings, the so-called Schrems Decisions, we will take a look at the logic of these rulings. Finally, we will discuss the (draft) recommendations issued by the EDPB, followed by our conclusion and some practical advice for organisations acting as controllers in the sense of the GDPR on how to proceed under the current conditions.