Court of Justice of the European Union Invalidates the EU-U.S. Privacy Shield, Finds Standard Contractual Clauses Valid

The Court of Justice of the European Union (CJEU) in a surprise decision invalidated the U.S. Privacy Shield in a case called, Schrems II – a decision important to all companies doing business in the EU and collecting personal data about its residents. It found that the Standard Contractual Clauses (SCC) issued by the European Commission to support the lawful transfer of personal data to processors established outside of the EU are valid. At the same time, the Court unexpectedly invalidated the EU-U.S. Privacy Shield framework. This decision will require companies to re-examine their approach to transferring data between the U.S and the EU. Background In 2015 Max…


EDPB Releases New Guidance: When Can Companies Rely on the Need to Fulfill the Terms of a Contract as a Legal Basis to Process?

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines on the legal basis for processing personal data that involves providing online services to data subjects (the “Guidelines”). Specifically, they discuss when companies can rely on Article 6(1) – that processing can take place in the context of fulfilling the terms of a contract – and what conditions must be established to do so. The Guidelines make clear that this basis is narrower than it is often interpreted to be, and that companies must take care that they meet certain requirements. Background To lawfully process data, companies must establish one of six legal bases articulated in Article…


European Data Protection Board Issues Guidance on Interplay Between GDPR and Rules Governing Data in Clinical Trials

On January 23, 2019, the European Data Protection Board (EDPB), released an opinion on the relationship between the European Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR) (the “Opinion”). The CTR, scheduled to take effect in 2020, is designed to harmonize how clinical trials are assessed and supervised across the EU. It introduces a Clinical Trials Information System and establishes rules that protect individuals and enhance transparency requirements. In its Opinion, the EDPB provides guidance on (1) the legal bases for primary uses of clinical data, i.e., processing personal data in the course of a clinical trial protocol, and (2) secondary uses of clinical trial data…


EU-U.S. Privacy Shield Review Report Outlines Steps To Improve Enforcement and Monitor Compliance

The Privacy Shield – a mechanism by which U.S. companies can legally transfer data to the European Union, continues to draw the attention of regulators and policymakers. On December 19, 2018, the European Commission (the Commission) announced the publication of its report on the second annual review of the EU-U.S. Privacy Shield. The report offers companies insight into what aspects of the Privacy Shield officials find most important and what steps are planned to strengthen enforcement and oversee compliance. Background The EU-U.S. Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Companies must self-certify that they meet the requirements of…

  • 1
  • 2