The flurry of post Schrems II activity has exposed deep divisions between the @EU_EDPB and the @EU_Commission. Here are two: (Thread 1/6)

1. The EC's SCC requires a risk based analysis, including estimating the likelihood (or unlikelihood) that a foreign government access data imported from the EU. (2/6)

The EDPB prohibits precisely this type of risk analysis. You may NOT rely on an assessment of the likelihood of government access. This flat out contradicts the EC position above. (3/6)

2. The EC limits use of the SCC to data transfers to companies not subject to GDPR. This implies that if a foreign entity (say, FB US) is subject to GDPR's extraterritorial juris clause Art 3(2), there is no "transfer" out of Europe (at least in terms of jurisdictional reach) (4)

But the EDPB, while having the Art 3(2) vs. Chapter V issue on its agenda for years now, has yet to conclude that Chapter V doesn't apply in this situation. Which means companies will still be required to put in place a transfer mechanism but won't be able to use SCC!! (5/6)

Clearly, Schrems II implementation is exposing fracture lines among EU institutions. I can't even imagine the pressure (discord?) within the EDPB. Importantly, the interpretation of Schrems II is far from clear. There's room for different views. EDPB isn't "bound" as some suggest