Photo of Anna Mercado Clark, CIPP/E, CIPP/US

U.S. Department of Commerce and European Commission Release Joint Press Statement

On August 10, 2020, the U.S. Secretary of Commerce, Wilbur Ross, and the European Commissioner for Justice, Didier Reynders, released a Joint Press Statement (“Press Statement”) regarding the status of Privacy Shield discussions in light of the Schrems II decision. The Schrems II decision declared that the EU-U.S. Privacy Shield Framework was not a valid mechanism to transfer personal data from the European Economic Area (EEA) to the U.S., which we address in greater detail in a recent Client Alert.

The U.S. Department of Commerce and the European Commission announced that they have initiated discussions to determine the potential for “an enhanced EU-U.S. Privacy Shield” that would comply with the Schrems II decision. Both parties recognize the “vital importance of data protection and the significance of cross-border data transfer to our citizens and economies,” and reiterate a commitment to privacy and the rule of law, as well as the longstanding collaboration between the EU and the U.S.
Continue Reading The Department of Commerce Continues Efforts to Address Cross-Border Data Transfers Under the GDPR After the Invalidation of the Privacy Shield

The General Data Protection Regulation (GDPR), Europe’s restrictive data protection law, permits the transfer of personal data from the European Economic Area1 (EEA) to other countries only under limited circumstances. On July 16, 2020, the Court of Justice of the European Union (CJEU or Court) issued a highly anticipated decision in a case brought by Maximillian Schrems, an Austrian privacy advocate, who challenged Facebook Ireland’s reliance on standard contractual clauses (SCCs) as a legal basis for transferring his personal data to Facebook, Inc. in the United States (U.S.). The Court’s decision has two significant results:
Continue Reading European High Court Invalidates Privacy Shield, but Upholds Standard Contractual Clauses for International Data Transfers Under the GDPR

As regulators attempt to keep pace with the ever-changing technological landscape, legislation and agency guidance continue to evolve. Two recent developments worth noting:

  1. The clarification and modification of the California Consumer Privacy Act (CCPA)
  2. The release of the U.S. Department of Health and Human Service’s (HHS) voluntary cybersecurity practices for health care organizations

For insights

Everyone has been to a lot of presentations, read articles and evaluated the General Data Privacy Regulation (“GDPR”) – yet many questions remain.

Many companies continue to struggle with determining whether (1) the GDPR applies to them and, if so, (2) what can be done before the May 25th compliance deadline.

It is not too late to have these questions answered when working with experienced counsel who can navigate the issues at hand. For instance, possession of any European Union (“EU”) resident’s data does not necessary trigger the GDPR. Indeed, making the legal determination regarding the applicability of the GDPR can be completed largely over the phone by discussing key issues and conducting a targeted follow-up investigation. If the GDPR applies, then there are a number of high-impact but manageable tasks that can be accomplished by May 25th. Of course, waiting longer to evaluate these issues only puts businesses at greater risk for the hefty (up to 20 million Euro or 4 percent of annual global revenue, whichever is greater) non-compliance penalties that may be applicable.
Continue Reading GDPR – It’s Not Too Late to Work Towards Compliance