On December 22, 2021, the Austrian Data Protection Authority (DSB) found that medical news company, NetDoktor, violated Europe’s General Data Protection Regulation (GDPR) by using Google LLC’s popular data analytics platform, Google Analytics (GA), on its website, which resulted in the transfer of personal information from Europe to Google’s servers located in the United States (U.S.).1 Such transfers are generally prohibited unless an adequate level of data protection exists pursuant to Article 44 of the GDPR, including through European Commission-approved standard contractual clauses (SCCs).
Continue Reading Austrian Data Protection Authority Finds Website Use of Google Analytics Violates GDPR
New Court Decisions
Swiss-U.S. Privacy Shield Invalidated by Swiss Commissioner
The Schrems II decision, issued on July 16, 2020, continues to impact the ability of organizations to transfer personal data from the European Economic Area to the United States. The effects of the decision are now felt in Switzerland as the Federal Data Protection and Information Commissioner (FDPIC) addressed the issue on September 8, 2020. The FDPIC determined that the Swiss-U.S. Privacy Shield, which is separate and distinct from the EU-U.S. Privacy Shield and was not directly addressed by the Schrems II decision, nonetheless fails to provide an adequate level of protection for personal data transferred from Switzerland to the United States.[1] The Swiss-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and Swiss administration to provide organizations with a mechanism to comply with data protection requirements when transferring personal data from Switzerland to the U.S.[2]
Continue Reading Swiss-U.S. Privacy Shield Invalidated by Swiss Commissioner
European Parliament Committee Discusses the Future of EEA-U.S. Data Flows
On September 3, 2020, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) held a meeting to discuss the Schrems II decision and the future of personal data transfers between the European Economic Area (EEA) and the U.S.[1]
Justice Didier Reynders, the EU Commissioner for Justice, stated that conversations with U.S. counterparts (most likely the Department of Commerce) on a possible new data transfer framework have started, but that it is impossible to predict or provide a clear timeline.[2] The European Commission is currently working on an amended set of standard contractual clauses (SCCs) that will address the concerns of the Schrems II decision and incorporate the General Data Protection Regulation (GDPR).[3]
Continue Reading European Parliament Committee Discusses the Future of EEA-U.S. Data Flows
EDPB Establishes and Appoints Task Forces to Prepare Recommendations and Review Complaints Following the Schrems II Decision
On September 4, 2020, the European Data Protection Board (EDPB) announced that it had created two task forces following the Schrems II decision.[1] The first task force will prepare recommendations to support controllers and processors regarding their duties in “identifying and implementing” appropriate measures to meet the required standard when transferring data to third countries.[2] The EDPB noted that there will be no quick-fix solution, and that each organization will be required to evaluate its own data processing operations and transfers.
Continue Reading EDPB Establishes and Appoints Task Forces to Prepare Recommendations and Review Complaints Following the Schrems II Decision
EDPB Issues Draft of GDPR Controller-Processor Guidelines
On September 7, 2020, the European Data Protection Board (EDPB) issued draft guidelines clarifying the concepts of “controller,” “joint controller,” “processor” and “third party” under the General Data Protection Regulation (GDPR). These concepts are important under the GDPR, as they determine which party is responsible for compliance with particular GDPR provisions and how data subjects can exercise their rights. The guidelines, when finalized, will replace the previous Article 29 Working Party Opinion issued in 2010.[1] The concepts of “controller” and “processor” have not changed since the Article 29 Working Party Opinion, but the Court of Justice of the European Union’s (CJEU) decision and the obligations placed on these roles by the GDPR provided a need for clarification and harmonization across the European Economic Area (EEA).[2] The guidelines provide clarity to the different roles and responsibilities, and stress the importance of a clear and consistent interpretation of the concepts across the EEA. The following is a summary of some of the significant takeaways:
Continue Reading EDPB Issues Draft of GDPR Controller-Processor Guidelines
The Department of Commerce Continues Efforts to Address Cross-Border Data Transfers Under the GDPR After the Invalidation of the Privacy Shield
U.S. Department of Commerce and European Commission Release Joint Press Statement
On August 10, 2020, the U.S. Secretary of Commerce, Wilbur Ross, and the European Commissioner for Justice, Didier Reynders, released a Joint Press Statement (“Press Statement”) regarding the status of Privacy Shield discussions in light of the Schrems II decision. The Schrems II decision declared that the EU-U.S. Privacy Shield Framework was not a valid mechanism to transfer personal data from the European Economic Area (EEA) to the U.S., which we address in greater detail in a recent Client Alert.
The U.S. Department of Commerce and the European Commission announced that they have initiated discussions to determine the potential for “an enhanced EU-U.S. Privacy Shield” that would comply with the Schrems II decision. Both parties recognize the “vital importance of data protection and the significance of cross-border data transfer to our citizens and economies,” and reiterate a commitment to privacy and the rule of law, as well as the longstanding collaboration between the EU and the U.S.
Continue Reading The Department of Commerce Continues Efforts to Address Cross-Border Data Transfers Under the GDPR After the Invalidation of the Privacy Shield
European High Court Invalidates Privacy Shield, but Upholds Standard Contractual Clauses for International Data Transfers Under the GDPR
The General Data Protection Regulation (GDPR), Europe’s restrictive data protection law, permits the transfer of personal data from the European Economic Area1 (EEA) to other countries only under limited circumstances. On July 16, 2020, the Court of Justice of the European Union (CJEU or Court) issued a highly anticipated decision in a case brought by Maximillian Schrems, an Austrian privacy advocate, who challenged Facebook Ireland’s reliance on standard contractual clauses (SCCs) as a legal basis for transferring his personal data to Facebook, Inc. in the United States (U.S.). The Court’s decision has two significant results:
Continue Reading European High Court Invalidates Privacy Shield, but Upholds Standard Contractual Clauses for International Data Transfers Under the GDPR