Organizations need to determine how to properly transfer personal data outside of the European Economic Area (EEA) to non-adequate jurisdictions following invalidation of the EU-U.S. Privacy Shield framework. Following the Schrems II case, which led to the shut down of the framework, no noteworthy developments have taken place, but with Max Schrems and his privacy watchdog organization, NYOB, filing more than 100 complaints in 30 EEA countries, that is expected to change. Organizations should follow the developments closely and consider conducting transfer assessments, making necessary adjustments to cross-border transfer agreements and privacy notice(s). When this is complete, organizations should adjust their data processing agreements in order to ensure that any recipients in third countries that do not cut it either stop transferring the data to those countries or provide additional safeguards.
