2020 Developments in Privacy Law Create New Obligations for Companies, Foreshadow More Changes in 2021

While Covid-19 and national and state governments’ efforts to respond to the impact of the disease took center stage in 2020 among lawmakers, the year still brought significant changes in privacy and data protection law. Companies will need to take measures to meet new obligations created by court decisions and legislation and to prepare for more changes expected in 2021. Invalidation of Privacy Shield – On July 16, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, an agreement between the European Commission and U.S. Department of Commerce to facilitate the legal movement of data from the EU to the U.S. Invalidation of…


European Commission Publishes New Standard Contractual Clauses and Guidance on Implementation

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries. It also published a draft set of new SCCs. For U.S. companies, the EU General Data Protection Regulation (“GDPR) establishes SCCs as a means by which companies may lawfully transfer data from the EU to the U.S. Companies that have in the past relied on the U.S. Privacy Shield to transfer data from the EU to the U.S. will need to pay particular attention to the new SCCs and guidance. The decision in the Schrems case (discussed previously in this blog) invalidated the Privacy…


101 Lawsuits Against Companies Post Schrems II Decision

In the wake of the recent decision of the European Court of Justice (CJEU) in which it struck down the Privacy Shield data transfer arrangement – commonly referred to as the Schrems case after the Austrian activist, Max Schrems, who brought the action – the practices of companies moving data from the European Union to the United States are now under scrutiny. The privacy activist group noyb, headed by Mr. Schrems, has filed complaints against 101 websites which it alleges are still sending data in the absence of the Privacy Shield and without the measures required by the EU’s General Data Protection Regulation. In bringing its legal complaints, nyob…


European Data Protection Board Publishes Frequently Asked Questions on Schrems II Decision

On July 24, 2020, the European Data Protection Board (the “EDPB”) published Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18).   In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU.  At the same time, it struck down the EU-U.S. Privacy Shield framework. The FAQ responds to some of the many questions the Schrems II ruling raises: The decision allows for no grace period for companies that relied on the EU-U.S. Privacy Shield framework. According to the EDPB,…


German Data Protection Authority. No Grace Period on EEA Data Transfers to the US

On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement emphasizing that organizations that rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (BCRs”) must implement additional safeguards to lawfully transfer personal data to third countries.  In keeping with the Court of Justice of the European Union  CJEU’s judgment of 7/16, and the European Data Protection Board EDPB FAQ Memo of 7/20, the German DSK statement affirmed it’s intent of enforcing GDPR under the framework of the Court’s ruling, and with no grace period to comply.  The highlights of the German DSK statement are: Organizations receiving transfers of EU Personal Data outside of the European Economic Area (EEA) are required to review the mechanisms and provide additional protections to safeguard the privacy rights…

  • 1
  • 2