Global Privacy & Security Compliance Law Blog

The EDPB’s Draft Data Transfer Guidance Following Schrems II – A Close Look

Posted in Legislative & Regulatory Developments, Privacy, Security

The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth

On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on international personal data transfers (the Guidance) in the wake of the CJEU Schrems II decision. The EDPB simultaneously issued updated recommendations on the European Essential Guarantees for surveillance measures, which are referred to in the Guidance. The Guidance sets out the EDPB’s proposed step-by-step process for data controllers or data processors that export personal data outlining how to assess their data transfers and implement General Data Protection Regulation (GDPR)-compliant mechanisms to protect data flows. One day later, the European Commission released draft updated Standard Contractual Clauses (SCCs) for the transfer of personal data. The draft updated SCCS are explicitly designed to address Schrems II requirements, and cross-refer extensively to the Guidance in the draft implementing decision. — Continue Reading

Privacy and Payments: New Draft EU Advice for Financial Institutions

Posted in Privacy

As contactless transactions boom, EU regulators publish draft guidelines on the interplay between the GDPR and PSD2.

By Fiona M. Maclean, Christian F. McDermott, Calum Docherty, and Amy Smyth

Last year, more than half of all payments in the UK were made by card and contactless methods, while cash made up less than a quarter of all payments for the first time, according to the trade association UK Finance. The COVID-19 pandemic has accelerated the shift towards a cashless society, as governments across Europe encourage citizens and businesses to adopt cashless solutions. At the start of the lockdown, in the spring, ATM transaction volumes in the UK fell 62% year on year, while the daily cash transaction volumes dropped by as much as 90% in Spain, according to the Financial Times. Continue Reading

Swiss Regulator Determines Swiss-US Privacy Shield Is Inadequate

Posted in Legislative & Regulatory Developments

Swiss companies are advised to take additional measures when transferring personal data from Switzerland to the US.

By Gail E. Crawford, Fiona M. Maclean, and Amy Smyth

On 8 September 2020, the Swiss data protection authority, Adrian Lobsiger (the Federal Data Protection and Information Commissioner, FDPIC), concluded in his annual review that the Swiss-US Privacy Shield does not provide an adequate level of protection for personal data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP). Mirroring the Court of Justice in the European Union’s (CJEU’s) findings in the recent Schrems II decision, the FDPIC also concludes that the standard contractual clauses (SCCs), and binding corporate rules (BCRs) (as applied in Switzerland), may not provide for adequate protection for transfers to the US or other third countries. Continue Reading

How Does the New DIFC Data Protection Law Compare With the GDPR?

Posted in Legislative & Regulatory Developments

Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR.

By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran

The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and the Data Protection Regulations (together, the DIFC DP Legislation).  The new law, which became effective on 1 July 2020, sets a significant benchmark for data privacy in the Middle East and aligns the DIFC’s data protection framework with international data protection regulations, including the EU’s General Data Protection Regulation (GDPR). Continue Reading

Practical Considerations for Assessing Data Transfers after Schrems II

Posted in Legislative & Regulatory Developments

Latham develops new resource to identify considerations for assessing SCC and BCR data transfers in Europe.

By Gail E. Crawford, Fiona M. Maclean, Michael H. Rubin, Serrin Turner, Tim Wybitul, and Ulrich Wuermeling

Following the Schrems II decision in July 2020, organisations relying on the standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs) to transfer personal data outside of the European Economic Area are required to assess whether the law of the destination country ensures adequate protection for the personal data being transferred. Organisations may also need to put in place additional safeguards to ensure an essentially equivalent level of protection. The CJEU indicated that SCCs should not be used if the destination country’s legal regime prevents compliance with their terms or impinges on the level of protection they afford. Continue Reading

French Data Protection Authority Hands Down First Sanction as Lead Authority

Posted in GDPR

The CNIL has imposed a €250,000 fine on an online retailer for GDPR infringements in cooperation with other EU supervisory authorities.

By Myria Saarinen and Charlotte Guerin

Founded in 2006 and headquartered in France, Spartoo SAS (Spartoo) is one of the leaders of the European online shoe retail market. On 31 May 2018, a week after the entry into application of the GDPR, the French Data Protection Authority (the CNIL) launched an on-site investigation of Spartoo in cooperation with other EU supervisory authorities. The CNIL eventually handed down its decision on 28 July 2020, imposing a €250,000 fine on Spartoo for the infringement of four different provisions of the GDPR. Spartoo may appeal the CNIL’s decision within two months. The decision illustrates how the GDPR’s “one-stop shop” mechanism can operate, and also provides insight to online retailers and other businesses on what to expect regarding GDPR enforcement in practice. Continue Reading

China Issues Draft Data Security Law for Public Comment

Posted in Security

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security. Continue Reading

France’s Highest Administrative Court Provides Insights on Lawful Cookie Practices

Posted in Legislative & Regulatory Developments

Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application.

By Myria Saarinen and Charlotte Guérin

France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data Protection Authority (the CNIL) had published on 4 July 2019 (the Guidance). However, the Conseil d’Etat struck down the provision of the Guidance imposing a blanket prohibition on so-called “cookie walls” that prevent users who do not consent to the use of cookies from accessing a website or an application. On the same day, the CNIL published a communication acknowledging the decision and announcing that it would adjust its Guidance and future recommendation to strictly comply with the Conseil d’Etat’s decision. Continue Reading

CJEU Invalidates EU-US Privacy Shield

Posted in Legislative & Regulatory Developments, Privacy

A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses.

By Gail E. Crawford, Fiona M. Maclean, Michael H. RubinUlrich Wuermeling, Calum Docherty, and Amy Smyth

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully transferring personal data from the European Union to the United States. At the same time, the CJEU ruled that the standard contractual clauses (Model Clauses) remain valid but can only be used under strict conditions.

This post provides an initial analysis of the judgment and proposes some immediate next steps for businesses to ensure compliant data transfers from the EU. Continue Reading

French State Council Upholds CNIL’s €50M Fine for GDPR Violations

Posted in GDPR

The Council decision contains useful considerations and clarifications on the “one-stop shop” mechanism, transparency obligations, and consent for targeted advertising.

By Myria Saarinen and Camille Dorval

On 19 June 2020, France’s Highest Administrative Court (Council) handed down its decision on the appeal filed by Google LLC (Google) against the French Data Protection Authority’s (CNIL’s) decision of 21 January 2019, which imposed a fine of €50M to Google for failure to comply with the obligations of transparency and to lawfully process personal data on the basis of a valid consent, with respect to the operating system for Android mobile terminals. Continue Reading

LexBlog