European Commission Publishes Draft Decision Finding UK Law Provides Adequate Protections for EU Data

On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR. The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements. It also provides for…

READ MORE

EDPB and EDPS Adopt Join Opinions On Draft Standard Contractual Clauses

The European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020.  The guidance addresses both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). International SCCs The International SCCs will replace the existing SCCs companies have used to transfer personal data from within the EEA to organizations in non-EEA countries not deemed to provide an adequate level of protection for data of EU residents. In the wake of the invalidation of the EU-U.S. Privacy Shield in the Court of Justice of the European Union’s (the “CJEU’s”) Schrems II judgment, most organizations…

READ MORE

2020 Developments in Privacy Law Create New Obligations for Companies, Foreshadow More Changes in 2021

While Covid-19 and national and state governments’ efforts to respond to the impact of the disease took center stage in 2020 among lawmakers, the year still brought significant changes in privacy and data protection law. Companies will need to take measures to meet new obligations created by court decisions and legislation and to prepare for more changes expected in 2021. Invalidation of Privacy Shield – On July 16, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, an agreement between the European Commission and U.S. Department of Commerce to facilitate the legal movement of data from the EU to the U.S. Invalidation of…

READ MORE

European Commission Publishes New Standard Contractual Clauses and Guidance on Implementation

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries. It also published a draft set of new SCCs. For U.S. companies, the EU General Data Protection Regulation (“GDPR) establishes SCCs as a means by which companies may lawfully transfer data from the EU to the U.S. Companies that have in the past relied on the U.S. Privacy Shield to transfer data from the EU to the U.S. will need to pay particular attention to the new SCCs and guidance. The decision in the Schrems case (discussed previously in this blog) invalidated the Privacy…

READ MORE

101 Lawsuits Against Companies Post Schrems II Decision

In the wake of the recent decision of the European Court of Justice (CJEU) in which it struck down the Privacy Shield data transfer arrangement – commonly referred to as the Schrems case after the Austrian activist, Max Schrems, who brought the action – the practices of companies moving data from the European Union to the United States are now under scrutiny. The privacy activist group noyb, headed by Mr. Schrems, has filed complaints against 101 websites which it alleges are still sending data in the absence of the Privacy Shield and without the measures required by the EU’s General Data Protection Regulation. In bringing its legal complaints, nyob…

READ MORE