On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement. This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog … Continue reading
On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading
The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs). The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA. They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading
It was reported yesterday that publication of revised final EU Standard Contractual Clauses may be as soon as next week and that revised final EDPB Recommendations possibly following the EDPB’s next plenary meeting on 15 June. This follows comments made by Ralf Sauer, EU Commission Deputy Head for International Data Flows, and Alexander Filip, Head … Continue reading
Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here. The draft decision is welcome news to … Continue reading
On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part three of a series of three blog posts. In this blog post, we consider the DGR’s relationship to competition law rules. … Continue reading
On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part two of a series of three blog posts. In this blog post, we outline the new regimes for data sharing service … Continue reading
On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part one of a series of three blog posts. In this first blog post, we outline key aspects of the DGR, set … Continue reading
On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading
On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data. These decisions are relevant in two key areas: Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” … Continue reading
On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading
In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an … Continue reading
On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses … Continue reading
The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the … Continue reading
Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020. This judgement concerns the legality of the European … Continue reading
Many businesses are suffering serious financial difficulties as a result of COVID-19, particularly those in the retail, hospitality and tourism sectors. For many of these businesses the one asset that will undoubtedly retain value, despite the pandemic, will be their customer database. This valuable commodity could help attract potential purchasers. But this is a tricky … Continue reading
Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”). It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”). The cookie sweep requested information from the data controllers … Continue reading
Employers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic. Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed … Continue reading
In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading
1. Brace yourself (for export turbulence) 2020 could well be a year of data export turmoil – so brace yourself. The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the … Continue reading
This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.… Continue reading
What has happened? Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country … Continue reading
The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European … Continue reading
On 3 July 2019, the ICO published its updated guidance on the use of cookies and similar technologies. This came shortly after it updated the cookie consent collection mechanism on its own website. Much of the guidance is unsurprising and reflects what companies already do in practice. However, other parts of the guidance are likely … Continue reading