Articles Tools

EPDS initial roadmap for Schrems II judgment

The European Data Protection Supervisor (EDPS) has responded to the Schrems II judgment with a risk-based roadmap for EU institutions:

  • Perform an inventory of all flows of personal data to entities outside the EU;
  • Priority for change will be existing transfers with either no legal basis, those based on a derogation, and those to organisations “clearly subject” to the US FISA s702 or EO12333 laws and that involve large-scale or complex or sensitive data/processing;
  • A strong precautionary principle should be applied to new contracts, with institutions strongly encouraged not to enter into any agreements that involve transferring data to the US;
  • More detailed “Transfer Impact Assessment” questions will follow.

Since the EDPS works closely with national regulators within the European Data Protection Board (confusingly, the EDPB), we may well see those national regulators adopting a similar approach.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *