On September 4, 2020, the European Data Protection Board (EDPB) announced that it had created two task forces following the Schrems II decision.[1] The first task force will prepare recommendations to support controllers and processors regarding their duties in “identifying and implementing” appropriate measures to meet the required standard when transferring data to third countries.[2] The EDPB noted that there will be no quick-fix solution, and that each organization will be required to evaluate its own data processing operations and transfers.
The second task force will handle and review complaints received by European Economic Area (EEA) Data Protection Authorities (DPAs).[3]Each member state of the EEA has a DPA, which are independent public authorities that supervise the application of the General Data Protection Regulation (GDPR). As of the date of the announcement, 101 identical complaints had been lodged with EEA DPAs against several controllers in EEA member states regarding the controllers’ use of Facebook and Google services involving the transfer of personal data.[4] The complaints were also brought against Google and Facebook in the U.S. for continuing to accept data transfers.[5] The complainants are all represented by Schrems’ organization. Schrems asserts that EEA and U.S. organizations ignored the Schrems II decision by continuing to transfer data through the use of SCCs.
Although fraught with challenges, these developments suggest that governing entities are invested in finding a way to continue cross-Atlantic business activity and the inevitable data transfers that accompany such activity.
[1] Press Release, Eur. Data Prot. Bd., Thirty-seventh Plenary session: Guidelines controller-processor, Guidelines targeting social media users, taskforce complaints CJEU Schrems II judgement, taskforce supplementary measures, (Sept. 4, 2020), https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en.
[2] Id.
[3] Id.
[4] Id.
[5] Id.