Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU

The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States.
Continue Reading Portugal Puts Halt on Data Transfers Between INE and Cloudflare

The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that Booking.com was first alerted to suspicious activity.

Continue Reading Booking.com Fined By Dutch DPA For Breach Notice Delay

Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid companies sorting through these potential legal notification obligations in the aftermath of a security event, the EDPB recently released draft guidance, which is open for comment until 2 March 2021.
Continue Reading Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

Many in the world have been watching the Brexit deal closely, including privacy lawyers and others who deal with global data transfers. Under the recently-announced deal, a temporary solution will allow companies to continue to transfer data between the UK and European Economic Area (EEA) as normal during a short post-Brexit transition period. As many know, transfers of personal data are restricted out of the EEA to third countries unless certain steps are taken or exceptions apply. One of those mechanisms being an EU determination that the country to which data is being transferred is “adequate.” With the current transition period set to expire December 31, 2020, and no adequacy decision for the UK issued yet from the Commission, companies have been worrying about how to receive data from the EEA into the UK given its impending status as a “third country.”
Continue Reading New Year, Same Transfers (for now): Temporary Brexit Deal Keeps EEA-UK Data Flowing

There has been much scrutiny of artificial intelligence tools this year. From NIST to the FTC to the EU Parliament, many have recommendations and requirements for companies that want to use AI tools. Key concerns including being transparent about the use of the tools, ensuring accuracy, and not discriminating against individuals when using AI technologies, and not using the technologies in situations where it may not give reliable results (i.e., for things for which the  was not designed). Additional requirements for use of these tools exist under GDPR as well.
Continue Reading 2020 In Review: An AI Roundup

Throughout 2020 we saw many enforcement actions brought by EU and U.S. regulators. Whether for allegations of deception (misleading privacy representations) or unfairness (failure to protect information), COVID did not appear to slow down regulatory action. Laws that many companies forget about -or don’t know as well- were enforced by regulators, as well as through class action lawsuits. This included the Children’s Online Privacy Protection Act, Illinois’s Biometric Information Privacy Act, and the Telephone Consumer Protection Act.
Continue Reading 2020 In Review: Ongoing Enforcement Actions and a Patchwork of Privacy Laws

As 2020 comes to a close, we take this opportunity to look back at some of the more significant developments that we discussed in the blog this year. The first is the EU Court of Justice’s Schrems II decision, finding that the EU-U.S. Privacy Shield was not a valid mechanism for transferring personal data from the EU to the U.S. Related decisions came out of Switzerland and Israel.
Continue Reading 2020 In Review: Dealing With Schrems II Fallout

One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the clauses predate GDPR and thus do not include provisions related to that 2018 law. Another area of confusion has been the recent criticism of the clauses as a valid method -alone- for transferring personal data to certain jurisdictions, including the US. (See proposed supplemental protection measures proposed by the European Data Protection Board to address this latter issue, which we discussed recently.)
Continue Reading EU Seeking Comment on Revisions to Standard Contractual Clauses

The EDPB recently published recommendations on additional security steps to take when transferring personal data out of the EU. As outlined in our previous series of posts, the EU found this summer that the EU-US Privacy Shield was an invalid mechanism for transferring personal information from the EU to the US.
Continue Reading EDPB Sheds Post-Schrems II Light on Supplementary Measures for Data Transfers