The EDPB Recommendations on International Transfers Present New Obstacles for Multinational Businesses and the Global Digital Economy

The European Data Protection Board (EDPB) has released a draft for public comment of its long-awaited recommendations on international transfers of personal data in light of the Court of Justice of the European Union’s (CJEU) Schrems II decision this past July.

The EDPB released these recommendations in an effort to provide guidance for companies uncertain about the legality of their international personal data transfers in the face of potentially severe penalties for noncompliance – up to 4% of annual global revenue or 20 million Euros, whichever is higher. The guidance is being both praised for its thorough examination of the complex legal issues surrounding ongoing international transfers under the European Union General Data Protection Regulation (GDPR) as well as condemned for its purported disconnect with the reality of the global digital economy and the functioning of multinational businesses.

In a November 17 webinar discussing these recommendations, the Secretariat of the EDPB confirmed that data exporters must conduct these analyses even if those transfers are already covered under otherwise GDPR compliant Standard Contractual Clauses (“SCCs” or “Clauses”) or Binding Corporate Rules (“BCRs”).

Companies must supplement any shortcomings with additional measures to protect the European individuals’ right to the protection of their personal data. Because the exporters have the burden of proving that these additional measures are legally sufficient, they are advised to thoroughly document their assessments and supplementary protective measures for each of their international transfers.