Your search matched the following posts:

Max Schrems’ NGO, noyb, submits mass cookie law compliance complaints

Introduction

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply.  noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

noyb’s stated aim is to move to a world where users are presented with simple and clear “accept”/”reject” options and companies do not design their cookie banners to try to “frustrate” users into accepting cookies or design their privacy settings to make … Continue Reading

Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II

Norton Rose Fulbright - Data Protection Report blog

Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Some German data protection authorities have announced that they will be taking a stricter approach against companies that fail to comply with the Schrems II requirements. The Hamburg data protection authority which is leading a working group focusing on cloud providers is reported to be considering regulatory sanctions should companies not be able to explain the legal grounds on which they rely to transfer personal data to the US. The … Continue Reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

Data Protection Report - Norton Rose Fulbright

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision.  A feedback period on the draft documents will run until 10 December.  Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of the year.

The new SCCs aim to modernise the clauses in line with the GDPR and to cover a multitude of different types of transfers to cater for “the complexity of modern processing chains”.  The clauses also aim to “provide for Continue Reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.

These decisions are relevant in two key areas:

  1. Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
  2. Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it
Continue Reading

101 Problems and Schrems Ain’t One

NT Analyzer blog series, cookie

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” and “Downstream” data collection programs. This is important to do because not all endpoints are created equal in this regard.

The main questions facing companies at this point are:

  • Do my websites and mobile apps, when used in the EU, transmit data to the US,
Continue Reading

Schrems II: recent developments – waiting is harder

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment.  Companies can no longer “do nothing” in the hope that the difficult implications will go away.  Regulators are starting to investigate.  Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

Schrems II landmark ruling: our recommendations

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case).  While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but with strict conditions.

Our recent briefing provides a detailed analysis on the judgement, but here are our recommendations on what organisations should consider doing next:

  • Monitor guidance updates from the European Data Protection Board (EDPB)
Continue Reading

Schrems II: The US Perspective and where do we go from here?

Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding.  While this affects countries in every region of the world, it does have particular ramifications for the US.

US companies are likely to bear the brunt of this decision.  First, because the underlying complaint concerns how Facebook transferred personal data to the US, Schrems II takes particular umbrage with US “mass” surveillance laws, which are unlikely to change in the short term.  Second, the US is still the largest economy in the world and information is … Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

  1. Privacy Shield is invalid.  This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way
Continue Reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

Data Protection Report - Norton Rose Fulbright

Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European Commission approved Standard Contractual Clauses (SCCs) which many organisations rely on to transfer personal data outside of the UK and the European Economic Area (EEA), particularly in relation to outsourcing services.

On 19 December 2019, the Advocate General (… Continue Reading

LexBlog