On 27 July 2020 the ICO issued a statement in response to the judgement of the CJEU in Schrems II.
The ICO has confirmed that the EDPB's FAQs regarding the decision, from 23 July 2020 still apply to UK controllers and processors.
The ICO has also updated its website, which previously stated the "if you are currently using Privacy Shield please continue to do so until new guidance becomes available". This statement has now been removed.
The ICO reiterates the EDPB's FAQs which state a risk assessment is required when relying on the Standard Contractual Clauses as to whether they provide sufficient protection within the legal framework of the third country the data is being transferred to, whether it is to the US or elsewhere.
The EDPB confirmed in the FAQs there is no grace period for continuing to transfer personal data to the US under Privacy Shield.
The EDPB did not provide further guidance in the FAQs on what "supplementary measures" may be required in addition to the Standard Contractual Clauses or BCRs to transfer personal data to third countries, but noted the EDPB is "currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance."
For now, the ICO notes the European Commission and EDPB are working on more guidance regarding the additional measures that may be required when relying on the Standard Contractual Clauses, and in the meantime organisations should "take stock of the international transfers you make and react promptly as guidance and advice becomes available".
The ICO also stated it is taking time to consider the implications of the judgement including in relation to the role of supervisory authorities in oversight of international transfers, but confirms it will continue to apply a risk based and proportionate approach, as well as acknowledging the challenges UK businesses are currently facing.
The European Data Protection Board (EDPB) has now issued its FAQs on the invalidation of the Privacy Shield and the implications for the Standard Contractual Clauses (SCCs), and this guidance still applies to UK controllers and processors. Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.