Brian Hengesbaugh is joined by Michaela Nebel to discuss the enforcement of Schrems II, the decision of the Court of Justice of the European Union from last July 2020 where they invalidated the EU-US Privacy Shield with a focus on US government surveillance activities. This podcast looks squarely into enforcement activities in the aftermath of Schrems IIin Germany, and provides insight into the “coordinated audits of international data transfers” announced by various German data protection…
*Article originally posted on IAPP.org* We are all hopeful the U.S. government can reach an agreement with the European Commission and other EU authorities on a so-called “Privacy Shield 2.0” in the near term. Such an updated arrangement is essential to provide certainty to trans-Atlantic business and assure a high level of protection for personal data transfers. But what’s next? Over recent years, we have witnessed the Court of Justice of the European Union invalidate…
In two decisions on October 6, 2020, the Court of Justice of the European Union (CJEU) has once again provided a strict framework for national surveillance laws applicable to electronic communications and online service providers, and the investigative and intelligence measures related thereto. This is the second time since July (C-311/18, “Schrems II” which has invalidated the “Privacy Shield” due to the inadequacies of the US law) that the CJEU has ruled on these issues.…
On 16 July 2020, the European Court of Justice (“ECJ”) ruled that the EU Commission’s 2016 decision regarding the adequacy of data protection in the United States and the EU-US Privacy Shield (“Privacy Shield”)* are invalid. As a result, companies in the EU and United States relying on the Privacy Shield program are scrambling to determine the impact on their operations. Many US companies grant share-based awards to employees of their subsidiaries in the EU…
The Court of Justice of the EU issued its judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems on 16 July 2020. This decision has implications on the wider issue of regulation of international data transfers and, by extension, the tech industry. Our panel of experts, consisting of Lothar Determann, Elisabeth Dehareng and Brian Hengesbaugh, examines the intricacies of the ruling and what it means for the TMT sector. https://open.spotify.com/episode/79SqOrfWy9fICVqHE7myVx
It’s difficult to believe that it has only been a short time since the Court of Justice of the European Union invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield on July 16, 2020. So much has changed. In this final note in the series, we provide seven predictions for the road ahead with “Schrems II” and global data transfers. Some of these may be more controversial than others, but here goes: 1.…
Most companies consider cross-border data transfer restrictions under EU data protection laws a difficult compliance requirement, particularly since July 16, when the Court of Justice of the European Union ruled on the EU-U.S. Privacy Shield and standard contractual clauses. Additionally, companies that offer data-processing services are also facing a difficult sales topic, which commands urgent attention, particularly in the technology, media and telecommunications sectors. Click here to continue reading. Note: This is the seventh in…
Starting with a good note: The “Schrems II” judgment does not lead to significant negative implications for companies that rely on the derogations the EU General Data Protection Regulation provides for international data transfers through Article 49. The Court of Justice of the European Union’s judgment stipulates that companies will need to evaluate whether their use of the standard contractual clauses provides sufficient protection in light of any access by the public authorities of the third country…
BCRs as a robust alternative to Privacy Shield and SCCs Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not…
In its “Schrems II” opinion issued July 16, the Court of Justice of the European Union did not reach any findings on the EU Commission’s decisions 2001/497/EC or 2004/915/EC, i.e., the standard contractual clauses for the transfer of personal data to controllers. However, the rationale behind the CJEU’s ruling on the controller-to-processor SCCs, as well as on the EU-U.S. Privacy Shield, suggests two things with respect to controller-to-controller SCCs: The additional measures for transfers under C2P SCCs…