101 Lawsuits Against Companies Post Schrems II Decision

101 Lawsuits Against Companies Post Schrems II Decision   In the wake of the recent decision of the European Court of Justice (CJEU) in which it struck down the Privacy Shield data transfer arrangement – commonly referred to as the Schrems case after the Austrian activist, Max Schrems, who brought the action – the practices of companies moving data from the European Union to the United States are now under scrutiny.  The privacy activist group noyb, headed by Mr. Schrems, has filed complaints against 101 websites which it alleges are still sending data in the absence of the Privacy Shield and without the measures required by the EU’s…


European Data Protection Board Publishes Frequently Asked Questions on Schrems II Decision

European Data Protection Board Publishes Frequently Asked Questions on Schrems II Decision   On July 24, 2020, the European Data Protection Board (the “EDPB”) published Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18).   In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU.  At the same time, it struck down the EU-U.S. Privacy Shield framework. The FAQ responds to some of the many questions the Schrems II ruling raises:  The decision allows for no grace period for…


German Data Protection Authority. No Grace Period on EEA Data Transfers to the US

German Data Protection Authority. No Grace Period on EEA Data Transfers to the US On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement emphasizing that organizations that rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (BCRs”) must implement additional safeguards to lawfully transfer personal data to third countries.  In keeping with the Court of Justice of the European Union  CJEU’s judgment of 7/16, and the European Data Protection Board EDPB FAQ Memo of 7/20, the German DSK statement affirmed it’s intent of enforcing GDPR under the framework of the Court’s ruling, and with no grace period to comply.  The highlights of the German DSK statement are:  Organizations receiving transfers of EU Personal Data outside of the European Economic Area…


Quebec Proposed Update to Provincial Privacy Law Includes Elements of the GDPR and Canadian Federal Law

On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada. Among the GDPR-like provisions are requirements that companies establish a person in charge of personal information: Sanctions for failures to provide notice, collection or use of personal information in violation of the act, or for failure to report a breach. The amendments would impose penalties on businesses ranging from $15,000 to 25 million or an amount corresponding to 4 per cent of worldwide annual turnover, whichever…


Senator Sherrod Brown Releases Draft Privacy Bill

U.S. Sen. Sherrod Brown, ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, recently released a draft privacy bill, the Data Accountability and Transparency Act of 2020 Link to: US Senate Draft Privacy Bill Brown’s proposal would: Give Americans the power to hold corporations, big tech, and the government responsible for how they collect and protect personal data. The bill Rejects the “consent” model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data. The bill contains Provide strong civil rights protections to ensure personal information is not used for discriminatory purposes Ban the use of facial…

  • 1
  • 2