EU Data Protection and Privacy

Key Point: The European Commission has adopted an adequacy decision for the EU-U.S. Data Privacy Framework, which allows certain businesses to transfer data from the EU to the U.S. without the need for additional transfer mechanisms. 

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“Privacy Framework”). This decision declared that United States companies that self-certify under the Privacy Framework will be deemed to provide an adequate level of data protection, which removes the requirement for those companies to implement additional safeguards when transferring data from the EU to the U.S. These safeguard requirements have been standard for decades but have been most recently required under the General Data Protection Regulation (“GDPR”).

Keypoint: The AI Act is the first legislation of its kind and is expected to have a significant impact on companies globally.

The European Parliament recently voted in favor of the Artificial Intelligence Act (“AI Act”) with overwhelming majority. Once finalized, the AI Act will have widespread impact for entities using artificial intelligence (“AI”) in their business operations. Similar to the European Union’s (“EU”) General Data Protection Regulation, the AI Act will apply extraterritorially to providers placing on the market or putting into service AI systems in the EU, irrespective of whether those providers are established in the EU or in a third country.

The AI Act is dense and expansive. For entities looking for an introduction to the topic, below we provide a brief overview of the current legislation, as well as what you can expect procedurally as the AI Act progresses toward final passage.

Keypoint: The EDPB takes the position that geographical boundaries – and not GDPR’s jurisdictional reach – govern the restricted transfer determination.

On November 19, 2021, the European Data Protection Board (EDPB) published draft guidelines on the interplay between the application of GDPR Article 3 and its provisions on international transfers in Chapter V.

The draft guidelines answer the question of whether a transfer of personal data occurs when the data leaves GDPR’s jurisdictional scope or when it leaves the European Union’s geographic scope. The draft guidelines also provide three criteria and a number of illustrative examples to guide controllers and processors to identify restricted transfers.

Restricted transfers are of heightened focus in light of the Court of Justice of the European Union’s decision in Schrems II, the European Commission’s issuance of new standard contractual clauses, and the EDPB’s recommendations on supplementary measures for cross-border data transfers. The guidelines – once finalized – will provide entities with further guidance on how to navigate this complex legal issue.

The draft guidelines will be open to public comment until the end of January.

Below is a summary.

Keypoint: Companies using the previous standard contractual clauses will have eighteen months to transition to the new documents.

Today, the European Commission announced that it has adopted “two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries.” The new SCCs take into account new requirements under the General Data Protection Regulation as well as the Court of Justice’s Schrems II opinion.

Keypoint: The European Commission will consider the joint opinion and public comments and decide whether to modify the draft standard contractual clauses.

On January 15, 2021, the European Data Protection Board (EDBP) and European Data Protection Supervisor (EDPS) issued joint opinions on the European Commission’s two draft standard contractual clauses (SCCs) issued in November 2020. The first draft SCCs concern the transfer of personal data to third countries. The second draft SCCs concern the transfer of personal data between controllers and processors in the EEA. Both SCCs were open for public comment until December 10, 2020.

The below post will focus on the joint opinion on the draft SCCs concerning international data transfers (hereinafter “Cross-Border Transfer SCCs”).

Keypoint: The UK/EU Brexit agreement provides for the continuation of UK/EU cross-border data transfers for the next four to six months, allowing the European Commission more time to consider issuing an adequacy decision.

On December 24, 2020, the United Kingdom and the European Union announced a number of agreements concerning the United Kingdom’s exit from the European Union (Brexit).

Keypoint: Once finalized, US entities can use the new Standard Contractual Clauses to legally transfer data out of the EEA when combined with appropriate supplementary measures.

As discussed in our prior post, on November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (SCCs) for the transfer of personal data to third countries and draft standard contractual clauses. Once finalized, the SCCs will replace the existing SCCs for data transfers out of the EEA.

As explained in the implementing decision, the SCCs “needed to be updated in light of new requirements in” GDPR. The SCCs also needed to be updated to consider “important developments . . . in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships.” The draft SCCs are also heavily influenced by the CJEU’s Schrems II decision.

The implementing decision and draft SCCs are open for public feedback until December 10, 2020. The European Commission presented the draft SCCs to the European Data Protection Board (EDPB) at the EDPB’s 42nd plenary session and requested a joint opinion from the EDPB and the European Data Protection Supervisor. For reference, the EDPB’s recommendations on draft supplementary measures was discussed in this blog post.

Once finalized, there will be a one-year implementation period in which entities can continue to rely on the existing SCCs for contracts entered into prior to the new SCCs going in effect, provided that the contract remains unchanged. However, the parties to the contract still must institute supplementary measures to allow for appropriate safeguards in light of the Schrems II judgment.

A discussion of some of the relevant takeaways from the draft SCCs follows:

Keypoint: In the wake of Schrems II, the EDPB’s much-anticipated recommendations provide extensive guidance on supplementary measures parties can use to legally transfer data out of the EEA in the absence of an adequacy decision.

In a flurry of activity last week, the European Data Protection Board (EDPB) and the European Commission made major announcements affecting cross-border data transfers out of the EEA.

First, the EDPB announced the adoption of draft recommendations on measures that supplement cross-border data transfer tools as well as recommendations on the European Essential Guarantees for surveillance measures. The recommendations were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. The following day, the European Commission published a draft set of new standard contractual clauses. Taken together, these documents will, once finalized, fundamentally change data transfers out of the EEA.

The below post will examine the EDPB’s draft recommendations on supplementary measures. The draft new standard contractual clauses will be discussed in a separate post.

Keypoint: The EDPB’s much-anticipated recommendations will help companies identify the supplementary measures they need to put into place to comply with the CJEU’s Schrems II decision.

Today, the European Data Protection Board (EDPB) announced that it has adopted recommendations on measures that supplement cross-border data transfer tools and recommendations on the European Essential Guarantees for surveillance measures. The recommendations – which are not yet publicly available – were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. Once available, the recommendations will be submitted for public consultation. As is customary, the recommendations are subject to legal, linguistic and formatting checks prior to being published on the EDPB’s website.

Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.

In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.

Although the other topics bear close consideration, the Guidelines’ analysis of the relationship between controller and processors – in particular, its discussion of Article 28 data processing agreements (DPAs) – should be closely examined by entities using DPAs. This is particularly true given the intense focus on DPAs in the context of international data transfers post Schrems II.

In the below analysis, we first provide a brief background on Article 28 and then discuss its requirements in further detail in the context of the EDPB’s guidance. In summary, the EDBP’s Guidelines require entities to conduct a thorough and considered analysis of these relationships and not simply use boilerplate DPAs.