This morning, Germany’s Federal Data Protection Authority (DPA) announced that the European Data Protection Board (EDPB) has finalized an initial set of FAQs on international transfers in light of the recent Schrems II judgment. You can read our detailed analysis of the Schrems II judgment here. Initial reactions from European privacy enforcers are summarized here, along with an analysis of early EDPB guidance here.
Per Germany’s Federal DPA, the EDPB FAQs are envisioned to be a “living document.” The version published today will contain answers to questions that European DPAs were asked “very frequently” within the last week. They may be updated over time.
Germany’s Federal DPA provides a preview of some of the guidelines that will be in the FAQs:
- Privacy Shield: There will be “no grace period” for Privacy Shield organizations. Practically, this means that “the transition [from Privacy Shield to an alternative transfer mechanism] must be started immediately.”
- Standard Contractual Clauses: SCCs can only be used for transfers to the United States – or other non-EU countries – “if additional measures are implemented that guarantee the same level of protection as in the EU.” This will require a “case by case” assessment.
- Vendor Diligence: The FAQs will apparently address companies’ duties to assess the risk that their vendors may transfer data to a non-EU country. If companies “do not know whether, as part of processing, data are sent to a third country,” they must now “review their contracts with their vendors.”
According to the Federal DPA, the EDPB’s FAQs could be published as early as today. Alston & Bird will provide updates as these FAQs become available.