The European Data Protection Supervisor (EDPS) has responded to the Schrems II judgment with a risk-based roadmap for EU institutions:
- Perform an inventory of all flows of personal data to entities outside the EU;
- Priority for change will be existing transfers with either no legal basis, those based on a derogation, and those to organisations “clearly subject” to the US FISA s702 or EO12333 laws and that involve large-scale or complex or sensitive data/processing;
- A strong precautionary principle should be applied to new contracts, with institutions strongly encouraged not to enter into any agreements that involve transferring data to the US;
- More detailed “Transfer Impact Assessment” questions will follow.
Since the EDPS works closely with national regulators within the European Data Protection Board (confusingly, the EDPB), we may well see those national regulators adopting a similar approach.
