In the context of the Schrems II case (see a summary here), we continue our analysis of alternative vehicles allowing the transfer of personal to third countries outside the European Economic Area. In previous papers, we focused on Binding Corporate Rules (BCR) [link] as alternatives to the Standard Contractual Clauses (SCC) [link]. This time, we will look at the so-called “derogations for specific situations” set forth under Article 49 GDPR as a subsidiary vehicle to…
The European Commission’s New Deal for Consumers will apply to traders that target consumers in the EU from 28 May 2022. Organisations impacted by the New Deal have two years to get into shape – which is advisable, because the New Deal empowers regulators across the EU to impose GDPR-style fines for breaches of consumer legislation. Like the GDPR before it, the changes will affect most functions within businesses affected by the New Deal. Organisations…
Multinational organizations subject to privacy laws, such as the EU General Data Protection Regulation, are sometimes also subject to seemingly conflicting trade law. One area of US trade law requires that before exporting certain products or technologies, companies screen against US sanctions lists to prevent the goods from being available to states or individuals deemed bad actors. The lists often contain sensitive information, including personal data relating to suspected or confirmed criminal liability. Click here…
Following our previous analysis of the consequences of the opinion of the advocate general Hendrik Saugmandsgaard Øe (a.g.) in the Schrems II case, from the data exporter perspective (available here), we now focus on the implications of the same with respect to the position of the data importer. Indeed, in the following paragraphs, we will turn our attention to the content of the Controller to Processor Standard Contractual Clauses (SCC) and, in particular, to some…
In this blog post we further analyse the impacts of the opinion of the advocate general Hendrik Saugmandsgaard Øe (a.g.) in the Schrems II case. We will focus, more specifically, on what it means for data exporters and what consequences there may be for them, if the decision of Court of Justice of the European Union (CJEU) on the case is consistent with the a.g’s opinion. Data importers will be the focus of another post,…
On midnight January 31, 2020, the United Kingdom’s law formally governing its exit from the European Union went into effect. From a data protection perspective, however, Brexit has not resulted in any changes in law. In fact, The EU Withdrawal Agreement implements a transition period to resolve post Brexit concerns and other formalities through December 31, 2020. During that time period, most EU law (including GDPR) will continue to apply, and, presumably, the UK will…
In this episode, your host Brian Hengesbaugh is joined by Benjamin Slinn, a senior associate in our London office, to discuss how data protection may look in a post-Brexit Europe. In this episode, you will learn about: What to expect during the transition period, which lasts until December 31, 2020Potential changes in international data transfers after the transition period expiresPractical steps from a data protection perspective that companies should consider taking to prepare for the end…
After January 31, 2020 the UK ceases to be a Member State of the European Union and, under the terms of the Withdrawal Agreement agreed between the UK and the EU-27, a transition period applies until December 31, 2020. From a data protection perspective, this has a number of implications. We have summarised the key points below, including what happens after the UK leaves the EU on January 31, the implications for international data transfers,…
In this Connect on Tech Episode, Brian Hengesbaugh and <ichaela Nebel focus on new EDPB guidelines on the territorial scope of application of GDPR.
The Federal Trade Commission (FTC) finalized settlements with five companies for claiming EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield certification. Those companies included organizations focused on providing workforce solutions, collaboration platforms, artificial intelligence analytics, clinical trial management, and other IT providers. The actions In each case, the FTC alleged that each company wrongfully claimed current certification under either the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield. Both frameworks establish a mechanism for companies to legally…