Author

Elisabeth Dehareng

Browsing

The European Data Protection Board (EDPB) recently published the draft Guidelines on Examples Regarding Data Breach Notification, a document that encompasses eighteen examples of data security incidents, on a spectrum of risk and necessary mitigating measures.  Each example concludes with recommended actions based on the identified risks, mainly: recording the incident in the organization’s internal register, notifying the organization’s supervisory authority, and notifying affected individuals.  The Guidelines are currently open for public consultation. The Guidelines…

Happy Data Protection Day! The 28 January each year is celebrated as Data Protection Day (or Data Privacy Day outside of Europe), which marks the anniversary of the Council of Europe’s Convention 108. To mark Data Protection Day 2021, we have summarised some of the key trends and developments in the EU, UK and beyond from a data protection perspective and looking ahead to what to expect for 2021. You can jump to specific country…

In its Schrems II judgement of 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. The EU-U.S. Privacy Shield was a data transfer mechanism allowing to transfer personal data from the European Union (EU)/European Economic Area (EEA) to the United States (a so-called third country) in compliance with data protection requirements. The CJEU confirmed that standard contractual clauses (SCCs) remain valid,…

The Court of Justice of the EU issued its judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems on 16 July 2020. This decision has implications on the wider issue of regulation of international data transfers and, by extension, the tech industry. Our panel of experts, consisting of Lothar Determann, Elisabeth Dehareng and Brian Hengesbaugh, examines the intricacies of the ruling and what it means for the TMT sector. https://open.spotify.com/episode/79SqOrfWy9fICVqHE7myVx

It’s difficult to believe that it has only been a short time since the Court of Justice of the European Union invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield on July 16, 2020. So much has changed. In this final note in the series, we provide seven predictions for the road ahead with “Schrems II” and global data transfers. Some of these may be more controversial than others, but here goes: 1.…

The European Court of Justice (“ECJ”) issued a landmark ruling earlier today that invalidates the EU – US Privacy Shield Framework (“Privacy Shield”) in Case C-311/18 (“Schrems II”).

It has been two years since the GDPR came into force on 25 May 2018 and during that time, we have seen more guidance published at an EU level as well as from data protection authorities in Member States which has impacted how organisations approach areas of GDPR compliance. We have also seen enforcement action from data protection authorities across the EU and UK. There have also been other significant developments, over the past two…

In the context of the Schrems II case (see a summary here), we continue our analysis of alternative vehicles allowing the transfer of personal to third countries outside the European Economic Area. In previous papers, we focused on Binding Corporate Rules (BCR) [link] as alternatives to the Standard Contractual Clauses (SCC) [link]. This time, we will look at the so-called “derogations for specific situations” set forth under Article 49 GDPR as a subsidiary vehicle to…

The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years. Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU)…

The EU General Data Protection Regulation is attracting an increasing amount of attention (and concern) as the clock ticks ever-closer to implementation in 2018.Belgium’s Data Protection Authority (“Privacy Commission”) is among the first European data protection authorities to issue guidance on the record of processing activities under Article 30 of the EU General Data Protection Regulation (“GDPR”). Published on June 14, 2017, the guidance instructs data controllers and data processors on setting up a record of…