Brian Hengesbaugh is joined by Michaela Nebel to discuss the enforcement of Schrems II, the decision of the Court of Justice of the European Union from last July 2020 where they invalidated the EU-US Privacy Shield with a focus on US government surveillance activities. This podcast looks squarely into enforcement activities in the aftermath of Schrems IIin Germany, and provides insight into the “coordinated audits of international data transfers” announced by various German data protection…
On May 31, 2021, Max Schrems’ privacy organization, noyb (or “none of your business”), made over 500 complaints to companies related to what the organization called their “unlawful cookie banners.” Using automated scanning programs, nyob searched commonly used European websites and analyzed the cookie options provided on certain of these websites. nyob claims that it identified “more than fifteen common abuses” of cookie consent management, with some of the most prevalent “violations” identified as follows:…
In the wake of “Schrems II,” the future of data transfers is on shaky ground. True, the Biden administration has demonstrated that it is taking trans-Atlantic data flows seriously after appointing Christopher Hoff, CIPP/E, CIPP/US, CIPM, in January, not long after Joe Biden was inaugurated. And though both the US Department of Commerce and European Commission are working together in earnest, short of changing its national security laws, what else can be done to prevent another…
In its Schrems II judgement of 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. The EU-U.S. Privacy Shield was a data transfer mechanism allowing to transfer personal data from the European Union (EU)/European Economic Area (EEA) to the United States (a so-called third country) in compliance with data protection requirements. The CJEU confirmed that standard contractual clauses (SCCs) remain valid,…
The Court of Justice of the EU issued its judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems on 16 July 2020. This decision has implications on the wider issue of regulation of international data transfers and, by extension, the tech industry. Our panel of experts, consisting of Lothar Determann, Elisabeth Dehareng and Brian Hengesbaugh, examines the intricacies of the ruling and what it means for the TMT sector. https://open.spotify.com/episode/79SqOrfWy9fICVqHE7myVx
It’s difficult to believe that it has only been a short time since the Court of Justice of the European Union invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield on July 16, 2020. So much has changed. In this final note in the series, we provide seven predictions for the road ahead with “Schrems II” and global data transfers. Some of these may be more controversial than others, but here goes: 1.…
Most companies consider cross-border data transfer restrictions under EU data protection laws a difficult compliance requirement, particularly since July 16, when the Court of Justice of the European Union ruled on the EU-U.S. Privacy Shield and standard contractual clauses. Additionally, companies that offer data-processing services are also facing a difficult sales topic, which commands urgent attention, particularly in the technology, media and telecommunications sectors. Click here to continue reading. Note: This is the seventh in…
Starting with a good note: The “Schrems II” judgment does not lead to significant negative implications for companies that rely on the derogations the EU General Data Protection Regulation provides for international data transfers through Article 49. The Court of Justice of the European Union’s judgment stipulates that companies will need to evaluate whether their use of the standard contractual clauses provides sufficient protection in light of any access by the public authorities of the third country…
In its “Schrems II” opinion issued July 16, the Court of Justice of the European Union did not reach any findings on the EU Commission’s decisions 2001/497/EC or 2004/915/EC, i.e., the standard contractual clauses for the transfer of personal data to controllers. However, the rationale behind the CJEU’s ruling on the controller-to-processor SCCs, as well as on the EU-U.S. Privacy Shield, suggests two things with respect to controller-to-controller SCCs: The additional measures for transfers under C2P SCCs…
So far, much of the discussion surrounding last week’s Court of Justice of the European Union “Schrems II” decision has focused on the implications for personal data transfers to the United States or other non-European countries, but its impact will be felt in the UK, as well, and add a further layer of complexity for companies preparing for Dec. 31, when the Brexit transition period will end. The key question at this stage is whether…