On September 4, 2020, the European Data Protection Board (the “EDPB”) announced that it established two taskforces following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.
The first taskforce will process and uniformly respond to complaints received by data protection authorities following the Schrems II judgment. Initially, the taskforce will review complaints filed by the non-governmental organization None of Your Business (“NOYB”). As background, on August 17, 2020, NOYB filed 101 identical complaints before 30 European Economic Area (“EEA”) data protection authorities against various EEA companies regarding the use of Google Analytics and Facebook Connect by these companies. The complaints relate to the question of whether Google and Facebook can legally transfer EU personal data to the U.S. after the Schrems II case. In its statement on the creation of the taskforce, the EDPB indicated that the taskforce will “analyze the matter and ensure a close cooperation among the members of the Board.”
The second taskforce will prepare recommendations to assist data controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure the adequate protection of EU personal data when transferring data to third countries.
The office of the German Federal Data Protection Commissioner (“BfDI”) made a similar announcement regarding the EDPB’s two new taskforces. The BfDI announcement further explained that the EDPB’s first taskforce will examine whether Google and Facebook have taken additional measures as required by the CJEU to supplement standard contractual clauses, and whether these measures provide sufficient guarantees for data transfers to the U.S. BfDI also highlighted that the second taskforce was formed as a joint initiative of Germany and France, and will develop criteria for assessing individual data transfers, criteria for additional data transfer measures, and procedural steps for the implementation of such measures.