The EDPB has provided input about consent in its recent FAQs responding to the Schrems II invalidation of Privacy Shield. As we wrote about previously in this series, Schrems II impacted how companies transfer data from the EU to the U.S.. As background, under GDPR, consent from the individual can be relied on to transfer information from the EU to an entity outside of the EU’s borders if three conditions exist. The EDPB reminded companies of these three conditions in its FAQs, drawing on prior guidance about consent:
Continue Reading Schrems II Fallout Continued: Can Companies Rely on Consent?
EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?
Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
Continue Reading EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?
CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions
On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
Continue Reading CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions