On November 2, 2020, Singapore’s legislature finally approved amendments to the Personal Data Protection Act (PDPA). The changes become law once a government gazette is passed (possibly before the end of 2020). If you operate in Singapore, handle Singapore data, or maintain a server in Singapore, it is crucial that you have protocols in place to guide employees on what to do when a data breach occurs and consider doing a data breach tabletop exercise. (We have organized a number of these drills for clients in preparation for breach notification requirements in Australia and now Singapore.) (more…)
The European Commission (EC), on 12 November 2020, published a draft decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final decision
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Board, tasked with overseeing compliance with the GDPR (“EDPB”), on 11 November 2020 issued its anticipated recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling. These recommendations are applicable immediately but are open for public consultation until November 30. Information on submitting public comments is accessible here.
In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program (“Privacy Shield”) and potentially required supplementary protections to be implemented when Standard Contractual Clauses (“SCCs”) are used to ensure an ‘essentially equivalent’ level of data protection. Under the GDPR, personal data transfers outside the EEA to jurisdictions which are not found to provide an ‘adequate level of protection’ to the data, are restricted unless appropriate safeguards are implemented. The Privacy Shield and SCCs were two key appropriate safeguard mechanisms used to legitimize transfers of personal data outside the EEA to ‘non-adequate’ recipient countries, referred to as “Third Countries.”
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Supervisor, tasked with overseeing compliance with EU data protection laws by the EU institutions (“EUIs” and “EDPS”), issued guidance on 29 October 2020 on how EU institutions should comply with the Schrems II ruling (“EDPS Guidance”). In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program and potentially required additional protections to be implemented when Standard Contractual Clauses are used. Both are key legal mechanisms used to enable transfers of personal data outside the EU.
Recent communications from the U.S. Securities and Exchange Commission (SEC) indicate that the SEC is again considering registration of advisers located in the UK. The SEC had delayed approving UK and European Union (EU) investment managers’ applications for registration since the adoption of the EU’s General Data Protection Regulation (GDPR), due to concerns that the GDPR would impede the SEC’s ability to collect data from, and supervise, these UK and EU investment managers.
In its judgment from October 1, the European Court of Justice (ECJ) ruled that an EU Member State cannot restrict a mail-order pharmacy, established in another Member State, from using paid referencing on search engines and price-comparison websites to promote its service, unless the Member State clearly establishes that the restriction is appropriate, and does not go beyond what is necessary, to protect public health. The ECJ further found that several other advertising restrictions imposed by France restricted the freedom to provide services under the e-commerce rules, but added that those restrictions may be justified provided that certain conditions are fulfilled, which is for the national referring court to verify.
In the wake of the recent Court of Justice of the European Union’s decision in Schrems II, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs met in early September to discuss the long-awaited revision of Standard Contractual Clauses (SCCs). During the meeting, Commissioner for Justice Didier Reynders expressed hope that revised SCCs would be finalised by the end of 2020.
On September 28, the U.S. government released a “White Paper” addressing how U.S. companies might justify their continued transfer to the U.S. of personal data of EU residents, following the decision of the Court of Justice of the European Union (“CJEU,” or “ECJ”) in Schrems II – more formally known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (July 16, 2020). The Schrems II decision struck down the EU-U.S. Privacy Shield as a basis for transferring EU personal data to the United States because of the Court’s view that U.S. national security law did not provide equivalent privacy protections to those available in the EU. While the CJEU upheld Commission-approved Standard Contractual Clauses (“SCCs”) as a basis for transfers of EU personal data to the U.S., the Court imposed significant new hurdles for the use of SCCs.
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
After three years of discussions and in a final debate, the Swiss parliament has agreed on the final draft bill of a new and modernized data protection law.
In particular, the National Council and the Council of States found a compromise on the these outstanding issues: (more…)