The decision of the Court of Justice of the European Union in July 2020 in Schrems II left companies without a clear framework for transfers to the US. In August 2020, authorities highlighted that the invalidation of the Privacy Shield is enforceable without any grace period and that the use of Standard Contractual Clauses (SCCs) required, yet left undefined, additional safeguards.
Now, after almost four months, the European Data Protection Board (EDPB) published its guidance on additional safeguards. These recommendations feature more than a dozen technical, contractual and organizational measures.
However, the EDPB itself concludes that the latter two categories may only be feasible where local laws of the third country are in line with EU data protection principles in the first place. Aside from stopping data transfers altogether, companies are left with a variety of "nice-to-have" yet insufficient measures, and merely two concrete options for effective technical measures remain.
To learn more, please open the attached file.