With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.

(more…)

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

The judgment C-311/18 can be found here, and the press release of the Court may be found here.

(more…)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 35th EDPB meeting
    2. Draft agenda of the 36th EDPB meeting
  2. Current Focus of the EDPB Members
    1. FAQ regarding clarifications of the consequences of the Schrems II judgement
    2. Decision making under art. 65 – Role of the Secretariat 2.3. Update by SA
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Secretariat
      1. September plenary meeting
      2. Legal studies
    2. Coordinators ESG
      1. Focus of the ESG until spring 2021
  4. Any other business
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 34th EDPB meeting
    2. Draft agenda of the 35th EDPB meeting
  2. Current Focus of the EDPB Members
    1. Decision-making under Art. 65 GDPR
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. International Transfers ESG
      1. Impact of Brexit on BCRs and management of ICO-led BCRs
    2. RoP drafting team
      1. Transparency of EDPB minutes
    3. Secretariat
      1. Legal studies
  4. Any other business

The long awaited Schrems II decision was published by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II) and while it has already been summarized as the death blow to the Privacy Shield framework and the confirmation of the validity of the Standard Contractual Clauses (SCCs) by many, it may only be a Pyrrhic victory for the latter, as far as transfers to the US are concerned.

(more…)

With the recent decision from the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield framework (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II – see our alert here) and subjecting the Standard Contractual Clauses (SCCs) to higher standard of enforcement, global companies with the need to transfer data across the world, and especially across the Atlantic, are now required to re-assess their data transfer mechanisms.

While both Privacy Shield and the SCCs predates the General Data Protection Regulation 2016/79 dated 27 April 2016, which enter into force on 25 May 2018 (GDPR) , the new regulation aimed at providing stakeholders with additional tools to self-regulate and safeguard the privacy of individuals in the European Union

Among them, and while still confidential, the implementation of codes of conduct is encouraged under Art. 40 GDPR and by the dedicated Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/79 dated 04 June 2019 of the European Data Protection Board (EDPB). As a matter of fact, the advantages of such codes of conducts go beyond the mere facilitation of data transfers, and provide data controllers and data processors alike with a complete sectorial framework for GDPR compliance.

(more…)

In a highly anticipated Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, the legal framework allowing transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, mainly citing US surveillance practices and inadequate recourse to EU individuals. On the other hand, the CJEU upheld the Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries (see out alert here). 

(more…)

On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.

What is the Privacy Shield

The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.

(more…)

The California Consumer Privacy Act of 2018 (CCPA) stands to radically change the way organisations throughout the United States, and even the world, handle personal data. Coming into force on 1 January 2020, CCPA has motivated other U.S. states such as Washington and Texas to move toward having their own privacy laws. Increasingly, pressure is building in Washington, DC, to advance federal privacy legislation, both on the domestic and international scene. In addition to Japan obtaining a GDPR-adequacy recognition (followed soon by Korea and India), Brazil has adopted its General Data Protection Act (GDPA) which is heavily inspired by the EU GDPR and will come into force in August 2020. In this session, hear about the new laws and legislative initiatives, how they will change the way you do business internationally and how to get prepared.

Along with Delphine Charlot, CIPP/E, Senior Counsel, Privacy and Data Protection, Mastercard

While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD Act and the ENCRYPT Act, organizations the world over are trying to understand how to get their own regulations deemed adequate enough to ensure the flow of business in the EU, now that GDPR is a reality.
(more…)