18Aug

European Data Protection Board Publishes Frequently Asked Questions on Schrems II Decision

August 18, 2020By Blog

European Data Protection Board Publishes Frequently Asked Questions on Schrems II Decision   On July 24, 2020, the European Data Protection Board (the “EDPB”) published Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18).   In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU.  At the same time, it struck down the EU-U.S. Privacy Shield framework. The FAQ responds to some of the many questions the Schrems II ruling raises:  The decision allows for no grace period for…

READ MORE
18Aug

German Data Protection Authority. No Grace Period on EEA Data Transfers to the US

August 18, 2020By Blog

German Data Protection Authority. No Grace Period on EEA Data Transfers to the US On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement emphasizing that organizations that rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (BCRs”) must implement additional safeguards to lawfully transfer personal data to third countries.  In keeping with the Court of Justice of the European Union  CJEU’s judgment of 7/16, and the European Data Protection Board EDPB FAQ Memo of 7/20, the German DSK statement affirmed it’s intent of enforcing GDPR under the framework of the Court’s ruling, and with no grace period to comply.  The highlights of the German DSK statement are:  Organizations receiving transfers of EU Personal Data outside of the European Economic Area…

READ MORE
17Jul

Court of Justice of the European Union Invalidates the EU-U.S. Privacy Shield, Finds Standard Contractual Clauses Valid

July 17, 2020By Blog

The Court of Justice of the European Union (CJEU) in a surprise decision invalidated the U.S. Privacy Shield in a case called, Schrems II – a decision important to all companies doing business in the EU and collecting personal data about its residents. It found that the Standard Contractual Clauses (SCC) issued by the European Commission to support the lawful transfer of personal data to processors established outside of the EU are valid. At the same time, the Court unexpectedly invalidated the EU-U.S. Privacy Shield framework. This decision will require companies to re-examine their approach to transferring data between the U.S and the EU. Background In 2015 Max…

READ MORE
01Apr

Federal Trade Commission Announces Settlements in Privacy Shield Enforcement Actions

April 1, 2020By Blog, GDPR - Enforcement & Fines

The Federal Trade Commission sent an important message to companies participating in the EU-U.S. Privacy Shield when earlier this year, the agency announced that settlements had been finalized with five companies regarding separate allegations that they had falsely claimed certification under the framework. The EU-U.S. and Swiss-U.S. Privacy Shield frameworks make it possible for companies to transfer personal data lawfully from the EU and Switzerland, respectively, to the U.S. (In compliance with the EU – GDPR – General Data Protection Regulation). The FTC announcement can be found here. In individual actions the FTC had alleged that: DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc., each…

READ MORE
04Mar

Be Prepared: New Tech Enables Floods of Subject Access Requests

March 4, 2020By Blog, News & Events

In January 2020, a new data privacy startup, Mine, made headlines when it received $3 million in seed funds. Mine is an inevitable product of new data privacy laws that have been passed in Europe and California. The start-up based in Tel Aviv helps users identify all the companies that hold their personal data. It then allows users to submit automated subject access requests and subject erasure requests. They advertise as a service providing tools for consumers to “reclaim your data.”  Users of this service have already sent out thousands of requests emphasizing how easy it is to generate hundreds of requests. Achieved is already handling Mine requests on…

READ MORE