The European Data Protection Board draft recommendations 01/2020 on “measures that supplement international transfer tools to ensure compliance with the EU level of protection of personal data” provide useful further guidance on how to comply with the CJEU ruling in Schrems II.
However, practical implementation of these recommendations will be very difficult for organizations. Some technical and contractual measures mentioned by the EDPB do not seem very realistic and effective for data access by public authorities and for organizations that routinely transfer data as part of their activities
For GDPR compliance, the EDPB and regulators throughout the EU have been calling for organizations to take a “risk-based approach”. It now seems that for international data transfers, the EDPB is departing from this and has a more restrictive approach which looks contrary to, for instance, the European Commission’s revised Standard Contractual Clauses and "modular design".
The current guidance is complicated and will require focus and considerable effort to result in transfers that are compliant. The EBU therefore urges the EDPB to adopt a more flexible and risk-based approach and outline more realistic and proportionate technical measures for companies to work with.