Cross-Border Transfers

On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”).  (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).

The two recommendations adopted by the EDPB are:

Continue Reading EDPB adopts recommendations on international data transfers following Schrems II decision

Over the past 9 months, the UK has been hammering out the shape of its future trading relationship with the EU, as well as many others, and there apparently are signs of progress in the past few days as a result of intensified talks between the two sides. Some are reporting a deal will be

Recently, there has been a significant level of attention given to data protection and privacy matters on the Continent, and in the just the past year, we have seen new laws proposed or enacted in places like Nigeria, Egypt, Kenya, and of course South Africa, although prior to that, places like Morocco, Ghana and Mali

On June 22, 2020, the South African President announced that certain provisions of POPIA would take effect on July 1, provisions which most regard as essential to the statute, such as those imposing conditions on the lawful processing of personal information, procedures for handling complaints, and general enforcement provisions. Only days later, the South African

On September 7, 2020, the German data protection supervisory authority for Baden-Wuerttemberg (“DPA-BW”) released new guidelines following the Schrems II judgment on how companies should transfer data to third countries. For a more in-depth summary of the CJEU’s Schrems II decision, please see our previous blog post here and our audiocast episode here.
Continue Reading New Guidelines for Companies from German Supervisory Authority (DPA-BW) following Schrems II

On September 8, 2020, the Swiss Federal Supervisory Authority (“Swiss SA”) issued a position paper stating that Swiss companies can no longer rely on the Swiss-US Privacy Shield Framework to transfer data to the US. The Swiss SA did not revoke the Swiss-US Privacy Shield Framework because it does not have the power to do so, but it did remove the US from its list of adequate countries.

The position paper is a clear reaction to the recent ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case and aims to bring legal certainty to Swiss companies affected by the judgment.  It is understood that EU authorities encouraged Switzerland, which is the beneficiary of an EU adequacy determination, to adopt a position more aligned with the EU’s following the judgement.
Continue Reading Swiss Federal Data Protection Authority Removes the US from its List of Adequate Countries

On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case.  In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination.  For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.

Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement.  The result of this impact analysis may be underwhelming for some.  So far, European regulators have been mostly silent (save a few exceptions[1]) and have not issued any actionable guidance to speak of.  In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses.  As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.

In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing.  Note, however, that much depends on the nature of the personal data transfers concerned.  As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector).  These risk-based considerations should inform how businesses prioritize remedial actions going forward.Continue Reading Life After Schrems II: Practical Recommendations In An Uncertain Time

On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case.

In brief, the AG recommended that the CJEU find that Decision 2010/87 (setting out standard contractual clauses for controller to processor transfers) should not be invalidated. The Opinion also concluded that the Court did not need to rule on the validity of the EU-U.S. Privacy Shield to decide Schrems II.Continue Reading AG Publishes Opinion on the Validity of the EU Standard Contractual Clauses

The Advocate General’s (“AG”) Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has been delayed until the 19th December 2019.  (The original publication date was set for the week before, on the 12th December.)

The primary question before the European Court of Justice (“ECJ”),