Recent communications from the U.S. Securities and Exchange Commission (SEC) indicate that the SEC is again considering registration of advisers located in the UK. The SEC had delayed approving UK and European Union (EU) investment managers’ applications for registration since the adoption of the EU’s General Data Protection Regulation (GDPR), due to concerns that the GDPR would impede the SEC’s ability to collect data from, and supervise, these UK and EU investment managers.
In its judgment from October 1, the European Court of Justice (ECJ) ruled that an EU Member State cannot restrict a mail-order pharmacy, established in another Member State, from using paid referencing on search engines and price-comparison websites to promote its service, unless the Member State clearly establishes that the restriction is appropriate, and does not go beyond what is necessary, to protect public health. The ECJ further found that several other advertising restrictions imposed by France restricted the freedom to provide services under the e-commerce rules, but added that those restrictions may be justified provided that certain conditions are fulfilled, which is for the national referring court to verify.
In the wake of the recent Court of Justice of the European Union’s decision in Schrems II, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs met in early September to discuss the long-awaited revision of Standard Contractual Clauses (SCCs). During the meeting, Commissioner for Justice Didier Reynders expressed hope that revised SCCs would be finalised by the end of 2020.
On September 28, the U.S. government released a “White Paper” addressing how U.S. companies might justify their continued transfer to the U.S. of personal data of EU residents, following the decision of the Court of Justice of the European Union (“CJEU,” or “ECJ”) in Schrems II – more formally known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (July 16, 2020). The Schrems II decision struck down the EU-U.S. Privacy Shield as a basis for transferring EU personal data to the United States because of the Court’s view that U.S. national security law did not provide equivalent privacy protections to those available in the EU. While the CJEU upheld Commission-approved Standard Contractual Clauses (“SCCs”) as a basis for transfers of EU personal data to the U.S., the Court imposed significant new hurdles for the use of SCCs.
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
After three years of discussions and in a final debate, the Swiss parliament has agreed on the final draft bill of a new and modernized data protection law.
In particular, the National Council and the Council of States found a compromise on the these outstanding issues: (more…)
In 2017, the Swiss government issued a draft bill for a new Swiss Data Protection Act (“nDPA”) with two main goals: (1) to enhance the level of protection of personal data provided in the current Swiss Data Protection Act which dates back to 1992 (largely, to align with the EU GDPR); and (2) to ensure that there is an “adequate” level of data protection to allow for the continued flow of personal data from the EEA to Switzerland.
On September 15, 2020, the U.S. Department of the Treasury published a final rule modifying the types of foreign investments that would trigger a mandatory filing before the Committee on Foreign Investment in the United States (CFIUS). The final rule largely tracks a proposed rule published by CFIUS on May 21, 2020. The final rule will come into effect on October 15, 2020, and will apply only to transactions that take place on or after that date. It is not retroactive.
On 2 September 2020, the European Data Protection Board (EDPB) published draft guidelines on the concepts of controller and processor under the GDPR (Draft Guidelines). The Draft Guidelines are intended to expand on and ultimately replace the guidance issued by the former Article 29 Working Party in 2010 (WP29 Guidance). The Draft Guidelines should be reviewed carefully to assess whether: (i) the understanding of an organisation’s role as a controller, joint controller or processor should be revised; and (ii) changes to existing vendor processes and contracts are needed in light of the assessment of guarantees provided by vendors and the more detailed processing provisions and ongoing diligence now required.
The Draft Guidelines consist of two parts. The first part seeks to further clarify the meaning of these concepts—which are crucial in determining compliance responsibilities under the GDPR—by reference to various examples. The second part provides detailed guidance on their respective roles and responsibilities, and the relationships between them.
The Draft Guidelines, accessible here, are subject to public consultation until 19 October 2020.
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) concluded in a position paper published on 8 September that the Swiss-US Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the US.