The European Data Protection Board has set up a Schrems II task force to respond and has also issued two sets of guidelines on the meaning of controller/processor and targeting social media users.
The EDPB has held its 37th plenary session where it created a taskforce on complaints following the CJEU judgment in Schrems II and a taskforce devoted to the supplementary measures that data exporters and importers can be required to take to ensure adequate protection when transferring data in light of the judgment.
The Board also adopted guidelines on the concepts of controller and processor in the GDPR and guidelines on the targeting of social media users.
The Board has created a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgment. A total of 101 identical complaints have been lodged with EEA Data Protection Authorities against several controllers in the EEA member states regarding their use of Google / Facebook services which involve the transfer of personal data. Specifically, the complainants, represented by the organisation NOYB, claim that Google/Facebook transfer personal data to the US. relying on the EU-US Privacy Shield or Standard Contractual Clauses and that according to the recent CJEU judgment the controller is unable to ensure an adequate protection of the complainants' personal data.
As a follow-up to the CJEU’s Schrems II ruling and in addition to the FAQ adopted on 23 July, the Board has created a taskforce to prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.
Consultation on guidelines on controller and processor in the GDPR
The Board has adopted guidelines on the concepts of controller and processor in the GDPR. Since the GDPR came into force, questions have been raised as to what extent the GDPR brought changes to these concepts, particularly regarding the concept of joint controllership (as set out in Article 26 GDPR and following several CJEU rulings), as well as the obligations for processors (in particular Article 28 GDPR) set out in Chapter IV of the GDPR.
The EDPB has been aware for some time that there was a need for more practical guidance to address the needs and concerns in the field. The new guidelines consist of two main parts: one explaining the different concepts; the other including detailed guidance on the main consequences of these concepts for controllers, processors and joint controllers. The guidelines include a flow chart to provide further practical guidance. The consultation ends on 7 November 2020.
Social media users
The EDPB is also consulting on guidelines on the targeting of social media users. The guidelines aim to provide practical guidance to stakeholders and contain case studies, so that users can quickly identify the ‘scenario’ that is closest to the targeting practice they intend to deploy. The main aim of the guidelines is to clarify the roles and responsibilities of the social media provider and the targeted individual. With this purpose in mind, the guidelines, among other things, identify the potential risks for the freedoms of individual, the main players and their roles, the application of key data protection requirements, such as lawfulness and transparency and data protection impact assessments, as well as key elements of arrangements between social media providers and the targeted individuals. In addition, the guidelines focus on the different targeting mechanisms, the processing of special categories of data and the obligation for joint controllers to put in place an appropriate arrangement under Article 26 GDPR. The consultation ends on 19 October 2020.