The European Commission (EC), on 12 November 2020, published a draft decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final decision
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Board, tasked with overseeing compliance with the GDPR (“EDPB”), on 11 November 2020 issued its anticipated recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling. These recommendations are applicable immediately but are open for public consultation until November 30. Information on submitting public comments is accessible here.
In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program (“Privacy Shield”) and potentially required supplementary protections to be implemented when Standard Contractual Clauses (“SCCs”) are used to ensure an ‘essentially equivalent’ level of data protection. Under the GDPR, personal data transfers outside the EEA to jurisdictions which are not found to provide an ‘adequate level of protection’ to the data, are restricted unless appropriate safeguards are implemented. The Privacy Shield and SCCs were two key appropriate safeguard mechanisms used to legitimize transfers of personal data outside the EEA to ‘non-adequate’ recipient countries, referred to as “Third Countries.”
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Supervisor, tasked with overseeing compliance with EU data protection laws by the EU institutions (“EUIs” and “EDPS”), issued guidance on 29 October 2020 on how EU institutions should comply with the Schrems II ruling (“EDPS Guidance”). In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program and potentially required additional protections to be implemented when Standard Contractual Clauses are used. Both are key legal mechanisms used to enable transfers of personal data outside the EU.
The results are in, and California voters have approved the California Privacy Rights Act (CPRA) which was listed on the ballot as Proposition 24. The law, most of which does not go into effect until January 1, 2023, will substantially overhaul and amend the California Consumer Privacy Act (CCPA) which went into effect just this year, on January 1, 2020, with final regulations issued just a few months ago, on August 14, 2020. And indeed, CCPA obligations continue to evolve, with proposed amendments to the regulations proposed by the Attorney General’s Office mid-October 2020.
Recent communications from the U.S. Securities and Exchange Commission (SEC) indicate that the SEC is again considering registration of advisers located in the UK. The SEC had delayed approving UK and European Union (EU) investment managers’ applications for registration since the adoption of the EU’s General Data Protection Regulation (GDPR), due to concerns that the GDPR would impede the SEC’s ability to collect data from, and supervise, these UK and EU investment managers.
In the wake of the recent Court of Justice of the European Union’s decision in Schrems II, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs met in early September to discuss the long-awaited revision of Standard Contractual Clauses (SCCs). During the meeting, Commissioner for Justice Didier Reynders expressed hope that revised SCCs would be finalised by the end of 2020.
On September 28, the U.S. government released a “White Paper” addressing how U.S. companies might justify their continued transfer to the U.S. of personal data of EU residents, following the decision of the Court of Justice of the European Union (“CJEU,” or “ECJ”) in Schrems II – more formally known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (July 16, 2020). The Schrems II decision struck down the EU-U.S. Privacy Shield as a basis for transferring EU personal data to the United States because of the Court’s view that U.S. national security law did not provide equivalent privacy protections to those available in the EU. While the CJEU upheld Commission-approved Standard Contractual Clauses (“SCCs”) as a basis for transfers of EU personal data to the U.S., the Court imposed significant new hurdles for the use of SCCs.
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
After three years of discussions and in a final debate, the Swiss parliament has agreed on the final draft bill of a new and modernized data protection law.
In particular, the National Council and the Council of States found a compromise on the these outstanding issues: (more…)
On 2 September 2020, the European Data Protection Board (EDPB) published draft guidelines on the concepts of controller and processor under the GDPR (Draft Guidelines). The Draft Guidelines are intended to expand on and ultimately replace the guidance issued by the former Article 29 Working Party in 2010 (WP29 Guidance). The Draft Guidelines should be reviewed carefully to assess whether: (i) the understanding of an organisation’s role as a controller, joint controller or processor should be revised; and (ii) changes to existing vendor processes and contracts are needed in light of the assessment of guarantees provided by vendors and the more detailed processing provisions and ongoing diligence now required.
The Draft Guidelines consist of two parts. The first part seeks to further clarify the meaning of these concepts—which are crucial in determining compliance responsibilities under the GDPR—by reference to various examples. The second part provides detailed guidance on their respective roles and responsibilities, and the relationships between them.
The Draft Guidelines, accessible here, are subject to public consultation until 19 October 2020.