European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Image Credit: GregMontani from Pixabay.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Continue Reading EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses
Blue EU flag fluttering in the wind

Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either

Image Credit: Capri23auto from Pixabay

On July 16th, 2020, privacy professionals scrambled after the Court of Justice of the European Union (CJEU) handed down its decision in Schrems II. The ruling invalidated the US-EU Privacy Shield agreement, which authorized transfers of data from the EU to the US for Privacy Shield-certified companies. Though the ruling on Privacy Shield was unexpected given that it was not directly at issue, such a decision is not without precedent or historical pattern. Privacy Shield itself was a replacement for the Safe Harbor framework that was invalidated in 2015 in Schrems I.

Now that the Privacy Shield framework has been invalidated, both data controllers and data processors are likely concerned about the next steps to take to ensure that any data transfers integral to its operations can continue. Although the U.S. Department of Commerce has indicated that it will continue processing Privacy Shield certifications, affected companies such as U.S. data importers and EU data exporters should quickly explore and adopt other transfer legitimizing mechanisms with their service providers and vendors in order to prevent any gaps in compliance.

Continue Reading Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either
Pole with sign saying "future".

Privacy Law Forecast for 2019

Image Credit: ID 23689850 © Steve Ball | Dreamstime.com

This past year was quite a whirlwind for privacy and cybersecurity watchers. Just to sum up a few of the top events of last year:

  • Facebook’s Cambridge Analytica scandal rocked political headlines
  • Europe introduced the GDPR, the most comprehensive data protection legislation to date in the world
  • California enacted the California Consumer Privacy Act, becoming the first US state to create GDPR-style rules
  • Google came under fire for allowing app developers to read your email, and track your location (even with location tracking off!)
  • Marriott’s guest reservation system was hacked, exposing the personal information of up to 500 million guests, including passport numbers and payment numbers for some of those hacked

What will happen in 2019? Here are our top 5 predictions:

Continue Reading Privacy Law Forecast for 2019

Image of gears directing arrows to shield.

California Consumer Privacy Act vs GDPR – How to Maximize Your Privacy Compliance Program

California’s recent passage of the Consumer Privacy Act of 2018 now places the world’s fifth-largest economy under European style data protection rules. Given the new law, US businesses that were previously hesitant to implement GDPR are now reconsidering their position.

Luckily, the GDPR and the California Consumer Privacy Act (CCPA or CaCPA) share some similarities. Both provide for consumer-facing privacy notices, data access rights, and data portability. As businesses automate their GDPR compliance processes, they should also leverage those same processes under the CaCPA to save significant time and expense.

Below, we have listed five common operational steps that all businesses should take in their GDPR and CaCPA privacy compliance programs:
Continue Reading California Consumer Privacy Act vs GDPR – How to Maximize Your Privacy Compliance Program

Image of man preaching

EU Court Finds GDPR Applies to Religious Preaching

On July 10, 2018 the Court of Justice of the European Union (CJEU) published an opinion finding that the General Data Protection Regulation (“GDPR”) applied to the collection of personal data during “door-to-door” preaching by the Jehovah’s Witnesses religious community. This data included the name and addresses of individuals contacted, and in certain cases, the individuals’ religious beliefs and family circumstances. Members of the Jehovah’s Witnesses community used this data to coordinate preaching efforts across territories and to maintain lists of individuals who did not wish to be visited.

The judgment in this case (CJEU C-25/17) highlights the broad scope of the GDPR in several ways. First, it shows the limitation of the “personal or household” exception to the GDPR. Continue Reading EU Court Finds GDPR Applies to Religious Preaching

1 2