In a much anticipated ruling, this month the Swiss Data Protection Authority concluded that the EU-US Swiss Privacy Shield was no longer an adequate method for transferring personal information from Switzerland to the US. In reaching this decision, the Swiss data protection authority agreed with the recent, similar, EU decision of inadequacy. Like the EU, Switzerland anticipates those transferring personal information from Switzerland to the US to rely on standard contractual clauses. However like the EU, Switzerland cautions that companies should assess “on a case-by-case basis” whether the recipient provides sufficient protection.
Continue Reading Impact of Swiss Privacy Shield Inadequacy Decision

The EDPB has provided input about consent in its recent FAQs responding to the Schrems II invalidation of Privacy Shield. As we wrote about previously in this series, Schrems II impacted how companies transfer data from the EU to the U.S..  As background, under GDPR, consent from the individual can be relied on to transfer information from the EU to an entity outside of the EU’s borders if three conditions exist. The EDPB reminded companies of these three conditions in its FAQs, drawing on prior guidance about consent:
Continue Reading Schrems II Fallout Continued: Can Companies Rely on Consent?

Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
Continue Reading EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.
Continue Reading How to Rise from the Privacy Shield Ashes: A View from the U.S.

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
Continue Reading CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions

The EDPB recently issued guidelines about how to use health data during the current pandemic in compliance with GDPR. Given the COVID-19 pandemic, there have been many research efforts in place to fight against the virus.  The EDPB’s guidelines shed light on the special rules for processing health data for scientific research, which apply in the context of the COVID-19 pandemic:
Continue Reading Using Health Data in Europe During COVID-19

Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19.
Continue Reading EDPB Announces Scope of COVID-19 Guidance

The European Parliament recently issued a resolution directed at the European Commission on its concerns with automated decision-making processes and artificial intelligence. While the EU Parliament addresses several areas of automated decision-making, the underlying theme of this resolution is that the Commission should ensure that there is transparency and human oversight of these processes. In particular, the EU Parliament stresses that consumers should be properly informed about how the automated decision-making functions, be protected from harm, and, particularly with automated decision-making in professional services, that humans are always responsible and able to overrule decisions.  Additionally, this resolution stresses the need for a risk-based approach to regulating AI and automated decision-making and for the availability of large amounts of high quality data, while at the same time protecting any personal data under GDPR.
Continue Reading European Parliament Weighs in on Automated Decision-Making

The FTC recently finalized settlements with five companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework. In each complaint, the FTC alleged that DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. made false and misleading representations when they stated that they participated under the Privacy Shield framework on their website when they were not participants under the framework. Additionally, in the complaint against EmpiriStat, Inc., the FTC alleged that EmpiriStat, Inc. made a false and misleading representations when it stated that it was a current participant under the Privacy Shield framework on its website after it had allowed its certification to lapse and had been warned by the U.S. Department of Commerce to take down its claim of participation.
Continue Reading FTC Finalizes Five Settlements Regarding Privacy Shield Claims

Many organizations are currently focused on updating their privacy policy to include content required by CCPA. While making those edits, now is a good time to take a step back and think more broadly about privacy program and operations generally, and in particular about the non-CCPA parts of your privacy policy.
Continue Reading Is Your Privacy Policy Ready for 2020?

The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address GDPR’s requirement that companies take “appropriate” technical and organizational steps to protect personal information and individuals. Part of the law’s requirements, according to the guidelines, is that companies can show that the measures they took are effective.
Continue Reading New European Data Protection Board Guidance on Data Protection by Design and by Default