The U.S. President and European Commission President announced in a joint press statement on March 25th, 2022 that an agreement “in principle” has been reached on a new Trans-Atlantic Data Privacy Framework (Privacy Shield Agreement 2.0). Once approved and implemented, the agreement would facilitate the transatlantic flow of personal data and provide an alternative data transfer mechanism (in addition to EU Standard Contractual Clauses and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S. This is a welcome announcement for companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision in July 2020, which invalidated the EU-U.S. Privacy Shield 1.0 for international transfers of personal data.
On 23 February 2022, the European Commission (Commission) proposed a draft of a regulation on harmonised rules on fair access to and use of data – also known as the Data Act. The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”.
If adopted in its current form, the new rules will impose far-reaching obligations on tech companies (such as manufacturers of connected products and cloud service providers) and give national authorities new enforcement powers to sanction infringements with fines of up to EUR 20 million or 4% of annual global revenue, whichever is higher. (more…)
The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.
The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:
- better align with the new SCCs recently adopted by the European Commission; and
- allow more flexibility in carrying out the assessment of third country laws in Step 3 by being able to take into account practice in the third country as well as the documented practical experience of the data importer.
Our previous blog post on the draft EDPB’s Schrems II recommendations – accessible here – provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.
The European Commission has formally launched its legislative initiative aimed at increasing access to and further use of data, so that more public and private actors can benefit from technologies such as Big Data and machine learning. The Commission has published its inception impact assessment on the forthcoming Data Act, on which interested stakeholders can submit comments until 25 June 2021. In parallel, the Commission has launched a public consultation for the legislative initiative, to be conducted by an online questionnaire, with a deadline of 3 September 2021. Feedback will be taken into account for further development and fine tuning of the initiative to be tabled in Q3-Q4 2021.
On December 15, the European Commission (Commission) proposed drafts of two landmark digital legislative packages — the Digital Markets Act (DMA), which proposes new competition rules for so-called “gatekeeper” platforms to address alleged unfair practices and make them more contestable by competitors, and the Digital Services Act (DSA), which recommends revamping content moderation rules for “very large online platforms.”
The new rules, if they pass into law in their current form, would impose a stringent regulatory regime on Big Tech and give the Commission new enforcement powers. The draft regulations foresee severe fines for noncompliance — up to 10% of a company’s global revenues under the DMA and up to 6% under the DSA. The Commission would also be able to impose structural remedies, such as obliging a gatekeeper to sell all or part of a business, on companies that repeatedly engage in anticompetitive behavior prohibited by the DMA.
The proposals mark the beginning of a legislative process that is likely to be controversial and hotly contested, as there are marked differences of opinion on whether these proposals go too far, do not go far enough, or are necessary at all in light of preexisting competition powers.
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
On 13 November 2019, the European Data Protection Board (“EDPB”) adopted guidelines on the GDPR’s data protection by design and by default principle (“Guidelines”). The Guidelines provide further guidance into the technical and organizational measures and safeguards that data controllers must take into account when designing their processing activities. The EDPB encourages early consideration of data protection by design and by default principles (“DPbDD”) and considers DPbDD to be at the forefront of GDPR compliance. Data controllers, processors and technology providers should consider re-assessing their processing operations and products against the standards put forward in the Guidelines.
The Securities and Futures Commission of Hong Kong (SFC) issued new guidance to regulate the use of external electronic data storage providers (EDSPs1) by licensed firms that intend to keep (or have previously kept) records or documents required to be maintained pursuant to the statutory recordkeeping rules and anti-money-laundering regime (Regulatory Records) in an online environment. The new guidance2 and related FAQs released October 31, 2019, while extensive and significant, confirm the Hong Kong regulator’s willingness to provide firms with a degree of flexibility in complying with the statutory recordkeeping obligations and clarify the baseline obligations when entering into outsourcing arrangements for the storage of records in electronic format with third-party vendors. (more…)
In recent years, the rise of cloud computing has led to more and more data being stored somewhere other than the jurisdiction in which it was created. This trend increasingly has led U.S. law enforcement officials to demand access to information held abroad, just as foreign officials increasingly want access to data held inside the United States. But satisfying these growing desires for cross-border access has proven complicated. The Mutual Legal Assistance Treaty (MLAT) process has not kept pace with the Internet-fueled increase in data requests, nor has a workable alternative to that process emerged. And questions remain as to whether relevant U.S. statutes authorize extraterritorial legal process. Even if law enforcement officials do have tools that allow them to seek data held elsewhere, the holders of such data may face a conflict between their obligations to respond to one country’s lawful process and the obligations to comply with another country’s privacy protections or blocking statutes. (more…)
On October 16, 2017, the U.S. Supreme Court granted the U.S. government’s request for review of a lower court decision that rejected the government’s construction of the Stored Communications Act (SCA) and embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups. (more…)