Frequently Asked Questions on the CJEU judgment “Schrems II” – C-311/18

July 28th, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

The judgment C-311/18 can be found here, and the press release of the Court may be found here.

(more…)

36th EDPB Meeting

July 23rd, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 35th EDPB meeting
    2. Draft agenda of the 36th EDPB meeting
  2. Current Focus of the EDPB Members
    1. FAQ regarding clarifications of the consequences of the Schrems II judgement
    2. Decision making under art. 65 – Role of the Secretariat 2.3. Update by SA
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Secretariat
      1. September plenary meeting
      2. Legal studies
    2. Coordinators ESG
      1. Focus of the ESG until spring 2021
  4. Any other business

, , , ,

35th EDPB Meeting

July 22nd, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 34th EDPB meeting
    2. Draft agenda of the 35th EDPB meeting
  2. Current Focus of the EDPB Members
    1. Decision-making under Art. 65 GDPR
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. International Transfers ESG
      1. Impact of Brexit on BCRs and management of ICO-led BCRs
    2. RoP drafting team
      1. Transparency of EDPB minutes
    3. Secretariat
      1. Legal studies
  4. Any other business

, , ,

EU Data Protection: Standard Contractual Clauses May have Been Confirmed by the CJEU, But At What Price?

July 16th, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

The long awaited Schrems II decision was published by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II) and while it has already been summarized as the death blow to the Privacy Shield framework and the confirmation of the validity of the Standard Contractual Clauses (SCCs) by many, it may only be a Pyrrhic victory for the latter, as far as transfers to the US are concerned.

(more…)

, , , , , ,

EU Data Protection: In a Post-Privacy Shield, Sectorial Code of Conduct Could Lead the Way to Safeguard Data Transfers Outside the EU/EEE

July 16th, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

With the recent decision from the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield framework (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II – see our alert here) and subjecting the Standard Contractual Clauses (SCCs) to higher standard of enforcement, global companies with the need to transfer data across the world, and especially across the Atlantic, are now required to re-assess their data transfer mechanisms.

While both Privacy Shield and the SCCs predates the General Data Protection Regulation 2016/79 dated 27 April 2016, which enter into force on 25 May 2018 (GDPR) , the new regulation aimed at providing stakeholders with additional tools to self-regulate and safeguard the privacy of individuals in the European Union

Among them, and while still confidential, the implementation of codes of conduct is encouraged under Art. 40 GDPR and by the dedicated Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/79 dated 04 June 2019 of the European Data Protection Board (EDPB). As a matter of fact, the advantages of such codes of conducts go beyond the mere facilitation of data transfers, and provide data controllers and data processors alike with a complete sectorial framework for GDPR compliance.

(more…)

, , , , , , , ,

EU Data Protection: Privacy Shield Shattered by the Sword of European Justice – What Comes Next for Transatlantic Dataflows?

July 16th, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

In a highly anticipated Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, the legal framework allowing transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, mainly citing US surveillance practices and inadequate recourse to EU individuals. On the other hand, the CJEU upheld the Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries (see out alert here). 

(more…)

, , ,

EU Court of Justice Invalidates Privacy Shield

July 16th, 2020 | Posted by Claude-Etienne Armingaud in Case Law | Data Transfer | Europe | Privacy - (0 Comments)

On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.

What is the Privacy Shield

The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.

(more…)

, , , , , , ,

🇺🇸 IAPP Data Protection Intensive France – Global Developments: CCPA and Beyond

February 4th, 2020 | Posted by Claude-Etienne Armingaud in Conference | Data Transfer | Europe | France | internet | Legislation | Privacy | World - (0 Comments)

The California Consumer Privacy Act of 2018 (CCPA) stands to radically change the way organisations throughout the United States, and even the world, handle personal data. Coming into force on 1 January 2020, CCPA has motivated other U.S. states such as Washington and Texas to move toward having their own privacy laws. Increasingly, pressure is building in Washington, DC, to advance federal privacy legislation, both on the domestic and international scene. In addition to Japan obtaining a GDPR-adequacy recognition (followed soon by Korea and India), Brazil has adopted its General Data Protection Act (GDPA) which is heavily inspired by the EU GDPR and will come into force in August 2020. In this session, hear about the new laws and legislative initiatives, how they will change the way you do business internationally and how to get prepared.

Along with Delphine Charlot, CIPP/E, Senior Counsel, Privacy and Data Protection, Mastercard

Adequacy Agreements, Legislation and Compliance in a GDPR World

November 8th, 2018 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | France | Interview | Legislation | Privacy | Region - (0 Comments)

While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD Act and the ENCRYPT Act, organizations the world over are trying to understand how to get their own regulations deemed adequate enough to ensure the flow of business in the EU, now that GDPR is a reality.
(more…)

Connecting the Dots: U.S. and International Issues and Regulatory Developments on Connected Cars/Autonomous Vehicles, K&L Gates / Access Partnership, Washington, D.C.

December 6th, 2017 | Posted by Claude-Etienne Armingaud in Artificial Intelligence | Conference | Connected Cars | Data Transfer | Europe | France | IT | Non classé | Privacy - (0 Comments)

Mode information on K&L Gates website