This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

EDPB confirms no grace period to replace Privacy Shield

As I am sure you are already aware, on 16th July the CJEU handed down a ruling invalidating the EU-U.S Privacy Shield as a legal mechanism for safeguarding personal data transferred outside the EU. This is otherwise known as the "Schrems II" decision. 

Since this decision, we have had a number of people ask if there will be a grace period for controllers and processors to put a safeguard in place to replace the Privacy Shield. The European Data Protection Board has confirmed the position in its Schrems II FAQs by simply saying "no", there will be no grace period (helpful!). 

OK, so what do you do now? There are a number of other safeguards available to you under the GDPR, including standard contractual clauses (SCCs) and binding corporate rules, or there are "derogations" that can be relied on if no appropriate safeguards exist. 

Regarding the use of SCCs as a replacement mechanism, keep in mind that its Schrems II decision, the CJEU reminded us of the requirement to undertake an assessment of the laws in the recipient country prior to replying on such mechanism for international transfers. This could potentially be a big task.  

There are no quick fixes for replacing Privacy Shield so it is important that you start working on this now as it might not be long before we see data protection authorities taking enforcement actions, particularly in light of this recent statement from the EDPB. 

Among the issues addressed in the FAQs, the EDPB clarified that the CJEU's judgment does not provide for a grace period in relation to the invalidation of the EU-US Privacy Shield.


schrems ii, international data transfers, gdpr, privacy shield, standard contractual clauses, cjeu, data transfers, emerging technologies