During the European Data Protection Board's 34th plenary session on Friday 17 July, it adopted a statement on the CJEU's ruling in the Schrems II case. In summary the EDPB noted: 

  • it is standing by to assist the European Commission to help build, together with the US, a new framework to replace the Privacy Shield; 
  • in relation to the Standard Contractual Clauses ("SCCs"), whilst these remain valid, the EDPB highlights that the judgement has emphasised the need to ensure that the SCCs in practice ensure a level of protection that is essentially equivalent to that guaranteed under the GDPR in light of the EU Charter;
  • it is primarily the obligation of the exporter and importer to assess whether the third country offers adequate protection when considering use of the SCCs; 
  • as part of this prior assessment, the exporter (and if necessary with help from the importer) must take into account the content of the SCCs, the circumstances of the transfer and the legal regime in the third country where the importer is located (in light of the non-exhaustive factors under Art 45(2) of the GDPR); 
  • if this assessment concludes the importer does not provide an essentially equivalent level of protection, the exporter may need to put in place "additional measures to those included in the SCCs". The EDPB has not clarified at this stage what these additional measures could be, but notes it is looking further into what these could consist of. 

From a UK perspective, on 16 July the ICO stated it is "considering the judgement from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy" and that the ICO stands "ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”

In addition, the ICO notes on its website it is "currently reviewing our Privacy Shield guidance after the judgement issued by the European Court of Justice on Thursday 16 July 2020" and that "if you are currently using Privacy Shield please continue to do so until new guidance becomes available". The ICO also notes on its website "please do not start to use Privacy Shield during this period".