The recommendations address the demise of the US–EU Privacy Shield scheme.

A necessary step following the end of Privacy Shield: In July 2020, the European Court of Justice invalidated the Privacy Shield scheme which ensured the validity of personal data transfers from the EU to the US, because it did not protect EU citizens from surveillance programs of US authorities. Companies can still rely on Standard Contractual Clauses, although their validity is no longer automatic.

A way to help businesses fill the gap: On 11 November 2020, the European Data Protection Board adopted recommendations to help businesses assess whether adequate safeguards are in place when exporting personal data outside the EEA. The recommendations contain a roadmap of the steps companies must take to put in place any necessary supplementary measures.

What businesses should do: Businesses are recommended to map their transfers accurately, and to verify the tools on which data transfers rely. The recommendations include possible cases in which effective technical measures could be taken, such as encryption or pseudonymisation, and examples of extra contractual or transparency measures. The recommendations are subject to public consultation until 30 November 2020, although the EDPB has already made them applicable.