#EDPB final recommendations on supplementary measures – quick thoughts on biggest changes, non-changes, and issues to explore further. Welcome thoughts on any you are focused on! #privacy #dataflows #schremsii 1/12
TIAs must (now can) assess and document practical experience with government access to data, BUT practical experience must be publicly available, relevant, verifiable, objective and reliable. Generally aligned with new SCCs. New acronym? #PARVOR adequacy assessments/TIAs? 2/12
Exporters must also consider government access to data in transit, by public authorities of the country to which it is sent (limiting factor?), even without the importer’s involvement. 3/12
The EDPB provides an updated list of sources of information to assess third country protections. Note that these are in “order of preference,” and the ordering alone is intriguing. 4/12
Practical experience cuts both ways – it can show that “adequate” laws are inadequate in practice or it can show that “problematic legislation” does not apply to the situation at hand. 5/12
#Privacypros will be busy since they must not only document the adequacy of relevant laws, practices, and their application to the specific sector, but also the internal procedure to conduct the TIA. And, DPAs can request these TIAs. 6/12
Technical safeguards remain the only failsafe option identified – the EDPB states that “contractual and organizational measures alone will generally not overcome…problematic legislation or practices." 7/12
Use cases where the EDPB did NOT IDENTIFY effective supplementary measures generally unchanged (though doesn’t say they don’t exist) - 6) Transfers to cloud service providers which require access to data in the clear & 7) Remote access to personal data for business purposes. 8/12
Definition of “problematic legislation” & p.35 & 38. – rights can be restricted respecting their “essence,” where “necessary and proportionate…in a democratic society, to safeguard important objectives as ALSO recognized in Union or EU Member States’ law” 9/12
What does fn 19 mean in practice? If an individual data subject is not a data exporter, does that mean foreign receipt of personal data directly from an EU data subject is not a transfer under GDPR Chapter V? 10/12
What does fn 42 together with edits that strike “transferred to and” before “processed” mean? It seems to make clear that a transfer is a type of processing… But, does that apply the necessity standard and legal bases for processing to the decision to transfer? 11/12
What is the significance of changes to EDPB recommendation text describing when derogations may be relied on? Recall, CJEU Judge von Danwitz's comments in this regard. 12/12
• • •
Missing some Tweet in this thread? You can try to
force a refresh
