Cross-Border Transfers

Recently, there has been a significant level of attention given to data protection and privacy matters on the Continent, and in the just the past year, we have seen new laws proposed or enacted in places like Nigeria, Egypt, Kenya, and of course South Africa, although prior to that, places like Morocco, Ghana and Mali

On June 22, 2020, the South African President announced that certain provisions of POPIA would take effect on July 1, provisions which most regard as essential to the statute, such as those imposing conditions on the lawful processing of personal information, procedures for handling complaints, and general enforcement provisions. Only days later, the South African

On September 7, 2020, the German data protection supervisory authority for Baden-Wuerttemberg (“DPA-BW”) released new guidelines following the Schrems II judgment on how companies should transfer data to third countries. For a more in-depth summary of the CJEU’s Schrems II decision, please see our previous blog post here and our audiocast episode here.

Continue Reading New Guidelines for Companies from German Supervisory Authority (DPA-BW) following Schrems II

On September 8, 2020, the Swiss Federal Supervisory Authority (“Swiss SA”) issued a position paper stating that Swiss companies can no longer rely on the Swiss-US Privacy Shield Framework to transfer data to the US. The Swiss SA did not revoke the Swiss-US Privacy Shield Framework because it does not have the power to do so, but it did remove the US from its list of adequate countries.

The position paper is a clear reaction to the recent ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case and aims to bring legal certainty to Swiss companies affected by the judgment.  It is understood that EU authorities encouraged Switzerland, which is the beneficiary of an EU adequacy determination, to adopt a position more aligned with the EU’s following the judgement.
Continue Reading Swiss Federal Data Protection Authority Removes the US from its List of Adequate Countries

On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case.  In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination.  For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.

Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement.  The result of this impact analysis may be underwhelming for some.  So far, European regulators have been mostly silent (save a few exceptions[1]) and have not issued any actionable guidance to speak of.  In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses.  As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.

In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing.  Note, however, that much depends on the nature of the personal data transfers concerned.  As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector).  These risk-based considerations should inform how businesses prioritize remedial actions going forward.

Continue Reading Life After Schrems II: Practical Recommendations In An Uncertain Time

On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case.

In brief, the AG recommended that the CJEU find that Decision 2010/87 (setting out standard contractual clauses for controller to processor transfers) should not be invalidated. The Opinion also concluded that the Court did not need to rule on the validity of the EU-U.S. Privacy Shield to decide Schrems II.

Continue Reading AG Publishes Opinion on the Validity of the EU Standard Contractual Clauses

The Advocate General’s (“AG”) Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has been delayed until the 19th December 2019.  (The original publication date was set for the week before, on the 12th December.)

The primary question before the European Court of Justice (“ECJ”),

On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see also the Commission’s Press Release).  The Report welcomed a number of improvements following the second annual review, including efforts made by U.S. authorities to monitor compliance with the framework, as well as key appointments that have been made in the last year.  The Commission in particular noted the appointment of Keith Krach to the position of Privacy Shield Ombudsperson on a permanent basis, filling a vacancy that had been noted in previous reviews.  The Report also provided a number of recommendations for further improvement and monitoring.

Recognizing that, in its third year, Privacy Shield has “moved from the inception phase to a more operational phase,” the Report placed particular emphasis on the effectiveness of the “tools, mechanisms and procedures in practice.”  Not only has the number of Privacy Shield certifications exceeded 5,000 companies — eclipsing in three years the number of companies that had registered to the Safe Harbor Framework in its nearly 15 years of existence — the Report also noted that “an increasing number of EU data subjects are making use of their rights under the Privacy Shield and that the relevant redress mechanisms function well.”

As with prior reviews, the Commission sought feedback from trade associations, NGOs, and certified companies, and  addressed the functioning of (i) the framework’s commercial aspects, and (ii) U.S. authorities’ access to personal data.

Continue Reading Privacy Shield Third Annual Review

On September 3, 2019, the Federal Trade Commission (“FTC”) announced settlement agreements with five companies for alleged false claims of certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, “Privacy Shield”).  These settlements indicate that the FTC is continuing to actively enforce Privacy Shield commitments, as it has done with respect to several other