The continued flow of personal information from Europe is essential to Europe’s competitiveness and connectivity to the global economy, as well as to research that is critical to fighting and recovering from the current pandemic. Given the legal questions raised by the Court of Justice’s (“Court”) decision in case C-311/18, the Chamber welcomes efforts by the European Data Protection Board (“EDPB”) aimed at enabling businesses to continue transferring EU personal information with confidence and in compliance with European law. In this respect, we thank the EDPB for granting our November 12 request to extend its public consultation period.
Unfortunately, the Recommendations, as written, fail to provide businesses with a realistic way forward on international data transfers. The EDPB’s proposed measures are unworkable in practice, go beyond the requirements laid out by the Court, and are inconsistent with the General Data Protection Regulation’s (“GDPR”) risk-based approach to data privacy. If the Recommendations are implemented and enforced as written, the EDPB will effectively cut Europe off from the rest of the digital world and erect formidable barriers to cross-border trade and investment, without enhancing the privacy of European citizens.
We urge the EDPB to fundamentally reconsider its proposals. It should embrace a risk-based approach that enables enterprises to choose supplementary measures that are appropriate to the contexts of their data transfers. Such an approach would remain consistent with the Court’s decision and the GDPR and should be coordinated with the European Commission’s new standard contractual clauses (“SCCs”). We further recommend that the EDPB include a transition period that allows for enterprises to adjust their business arrangements to comply with the new requirements. Given the economic and social challenges stemming from the COVID-19 pandemic, the EDPB must avoid creating unneeded disruptions to cross-border commerce. Our comments and recommendations are attached.