European Data Protection Board Publishes Frequently Asked Questions on Schrems II Decision

European Data Protection Board Publishes Frequently Asked Questions on Schrems II Decision   On July 24, 2020, the European Data Protection Board (the “EDPB”) published Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18).   In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU.  At the same time, it struck down the EU-U.S. Privacy Shield framework. The FAQ responds to some of the many questions the Schrems II ruling raises:  The decision allows for no grace period for…


German Data Protection Authority. No Grace Period on EEA Data Transfers to the US

German Data Protection Authority. No Grace Period on EEA Data Transfers to the US On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement emphasizing that organizations that rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (BCRs”) must implement additional safeguards to lawfully transfer personal data to third countries.  In keeping with the Court of Justice of the European Union  CJEU’s judgment of 7/16, and the European Data Protection Board EDPB FAQ Memo of 7/20, the German DSK statement affirmed it’s intent of enforcing GDPR under the framework of the Court’s ruling, and with no grace period to comply.  The highlights of the German DSK statement are:  Organizations receiving transfers of EU Personal Data outside of the European Economic Area…


Quebec Proposed Update to Provincial Privacy Law Includes Elements of the GDPR and Canadian Federal Law

On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada. Among the GDPR-like provisions are requirements that companies establish a person in charge of personal information: Sanctions for failures to provide notice, collection or use of personal information in violation of the act, or for failure to report a breach. The amendments would impose penalties on businesses ranging from $15,000 to 25 million or an amount corresponding to 4 per cent of worldwide annual turnover, whichever…


Senator Sherrod Brown Releases Draft Privacy Bill

U.S. Sen. Sherrod Brown, ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, recently released a draft privacy bill, the Data Accountability and Transparency Act of 2020 Link to: US Senate Draft Privacy Bill Brown’s proposal would: Give Americans the power to hold corporations, big tech, and the government responsible for how they collect and protect personal data. The bill Rejects the “consent” model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data. The bill contains Provide strong civil rights protections to ensure personal information is not used for discriminatory purposes Ban the use of facial…


Be Prepared: New Tech Enables Floods of Subject Access Requests

In January 2020, a new data privacy startup, Mine, made headlines when it received $3 million in seed funds. Mine is an inevitable product of new data privacy laws that have been passed in Europe and California. The start-up based in Tel Aviv helps users identify all the companies that hold their personal data. It then allows users to submit automated subject access requests and subject erasure requests. They advertise as a service providing tools for consumers to “reclaim your data.”  Users of this service have already sent out thousands of requests emphasizing how easy it is to generate hundreds of requests. Achieved is already handling Mine requests on…

  • 1
  • 2