Brief refresher on the Data Governance Act (DGA): We covered the new wave of EU data-centric legislation that is being implemented to usher in stronger regulatory guardrails for data in our recent article on the EU Data Strategy, with one of the discussed laws being the Data Governance Act. The Data Governance Act (DGA) is aimed at increasing accessibility to data by regulating the re-use of publicly held protected data, increasing data sharing through the…
We’ve set out our top ten tips on ensuring GDPR compliance if your organisation is procuring AI solutions from third parties. These tips are based on the issues which we see are attracting regulatory scrutiny in practice, the potential stumbling blocks we’re coming across in supplier terms, as well as the ICO’s AI guidance. This guidance has quickly gained a reputation as some of the most impressive and comprehensive guidance on AI and data protection…
In today’s digital economy, the ability to access and use data effectively is critical for economies to grow and drive innovation. Global data production is expected to increase by 530% between 2018 and 2025. In response to this opportunity, the European Commission (“EC”) outlined the European Data Strategy in 2020, one of its main objectives being to create a single common data market based on a harmonised framework for data exchange. This framework encompasses new…
Core to the one-stop shop mechanism, the EDPB serves as an independent umbrella organisation for the European data protection authorities (DPAs). The EDPB’s role is central to ensuring consistent application of the GDPR across the EU and also settle disputes in matters of cross-border processing where a group of DPAs are unable to agree on a cross-border decision. The EDPB issued two (2) key guidelines on May 24, 2023: Guidelines 03/2021 on the application of GDPR Article…
Most important changes and translation Background and translation At its meeting on 31 August 2022, the Swiss Federal Council adopted the revised Data Protection Ordinance (nDPO), which contains the implementing provisions of the revised Data Protection Act (nDPA). A translated version of the nDPO in English can be found here. The federal council confirmed that the nDPA and the nDPO will enter into force as expected on 1 September 2023. Overall, the revised Swiss data…
The United Kingdom has finalized, and laid before Parliament, its International Data Transfer Agreement (“IDTA”). The new IDTA will come into force on 21 March 2022, together with a supplemental document to the new EU Standard Contractual Clauses (“UK Addendum”) and transitional provisions, to address requirements under the UK GDPR and UK Data Protection Act. Both the IDTA, UK Addendum, and transitional provisions will replace use of the previous EU Standard Contractual Clauses (approved by…
The new standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”) issued by the European Commission provide for, both, chances and challenges for EU service providers supporting EU and non-EU customers, some of which are outlined below. 1. When do the Ex-EU SCCs apply? EU service providers supporting non-EU customers might want to enter into the new Ex-EU SCCs with…
The European Commission (“EC”) recently issued a set of standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). The Intra-EU SCCs accompany a wider set of clauses issued for extra-EU/EEA personal data transfers (“Extra-EU SCCs”), covering transfers between different types of data processing actors (processors, controllers, sub-processors etc.). Both of them were published in the Official Journal of the European Union on June 7, 2021. The clauses for intra-EU data processing arrangements…
On May 31, 2021, Max Schrems’ privacy organization, noyb (or “none of your business”), made over 500 complaints to companies related to what the organization called their “unlawful cookie banners.” Using automated scanning programs, nyob searched commonly used European websites and analyzed the cookie options provided on certain of these websites. nyob claims that it identified “more than fifteen common abuses” of cookie consent management, with some of the most prevalent “violations” identified as follows:…
The European Commission (“EC”) recently issued its revised standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and a companion set of standard clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). Both are now published in the Official Journal. The following is an introduction to the core elements of the Ex-EU SCCs and a brief overview of the Intra-EU SCCs. Legal Context The Ex-EU SCCs are a mechanism that companies can…