On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case.  In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination.  For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.

Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement.  The result of this impact analysis may be underwhelming for some.  So far, European regulators have been mostly silent (save a few exceptions[1]) and have not issued any actionable guidance to speak of.  In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses.  As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.

In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing.  Note, however, that much depends on the nature of the personal data transfers concerned.  As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector).  These risk-based considerations should inform how businesses prioritize remedial actions going forward.

Continue Reading Life After Schrems II: Practical Recommendations In An Uncertain Time

On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect.  The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other stakeholders.  The assessment considers a wider scope of issues surrounding GDPR implementation beyond international transfers and the cooperation and consistency mechanisms, the two topics the Commission is specifically tasked to consider under Article 97 of the GDPR.

The Commission’s overall conclusion is that the GDPR has successfully achieved its objectives of enhancing the protection of personal data and improving the free flow of personal data within the EU.  The Commission specifically highlights the key role that the GDPR plays in the EU’s “human-centric approach to technology,” and notes that it will serve as a guiding legal framework for the EU as it rolls out its broader Data Strategy.  The Commission also notes the impact that the GDPR has had worldwide, inspiring new or elevated standards for data protection in many countries, and serving as a “global standard-setter” for regulating the digital economy.

Notwithstanding these achievements, the Commission also makes clear that there are a number of areas for improvement.

Continue Reading European Commission Publishes 2-Year Report on the Implementation of the GDPR