The EDPB Announcement states that the first of the two taskforces has been set up to “prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.” The recommendations are eagerly awaited as stakeholders have been considering what additional safeguards, on a practical level, could be implemented in order to comply with the CJEU’s ruling. It is expected that the recommendations will develop and compliment the FAQ document, adopted by the EDPB on July 23, 2020, which provides initial clarification on the use of legal instruments for the transfer of personal data to third countries, including to the U.S.
The second of the two taskforces has been set up to process and uniformly respond to a set of specific complaints received by DPAs, following the Schrems II judgment. By way of background, on August 17, 2020, 101 identical individual complaints were filed by ‘None of Your Business’, a non-governmental organization founded by Max Schrems, which alleges that Google and Facebook’s reliance on the EU-U.S. Privacy Shield or Standard Contractual Clauses is now unlawful, following the Schrems II decision. The new taskforce is expected to “analyze the matter and ensure a close cooperation among the members of the [EDPB].”
The German federal DPA (the ‘BfDI’) has published a press release stating that it supports the formation of the two new taskforces. In particular, the BfDI notes that the first taskforce was set up on the joint initiative of Germany and France, and will develop criteria for assessing individual data transfers and additional data transfer measures, as well as suggesting procedural steps for the implementation of such measures. In relation to the second taskforce, the BfDI notes that the EDPB is sending a strong signal with the taskforce, and that “[t]he crucial question of whether these Google and Facebook services comply with European data protection law can now finally be answered uniformly across Europe.”
The EDPB has not given any indication as to the timeframe in which either taskforce will publish its recommendations. However, Andrea Jelinek, the EDPB’s chair, cautioned that there would be no “one-size-fits-all, quick fix solution” to the implications raised by the Schrems II ruling, and emphasized that “[e]ach organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”
Finally, the EDPB Announcement also indicates that the EDPB has published, and is seeking feedback on, draft Guidelines on the concepts of “controllers” and “processor” in the GDPR and draft Guidelines on the targeting of social media users. The consultation process relating to both sets of draft Guidelines is expected to end on October 19, 2020. Our update in relation to those Guidelines will follow in due course.
1 C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems
