EU Data Protection and Privacy

Keypoint: Once finalized, US entities can use the new Standard Contractual Clauses to legally transfer data out of the EEA when combined with appropriate supplementary measures.

As discussed in our prior post, on November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (SCCs) for the transfer of personal data to third countries and draft standard contractual clauses. Once finalized, the SCCs will replace the existing SCCs for data transfers out of the EEA.

As explained in the implementing decision, the SCCs “needed to be updated in light of new requirements in” GDPR. The SCCs also needed to be updated to consider “important developments . . . in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships.” The draft SCCs are also heavily influenced by the CJEU’s Schrems II decision.

The implementing decision and draft SCCs are open for public feedback until December 10, 2020. The European Commission presented the draft SCCs to the European Data Protection Board (EDPB) at the EDPB’s 42nd plenary session and requested a joint opinion from the EDPB and the European Data Protection Supervisor. For reference, the EDPB’s recommendations on draft supplementary measures was discussed in this blog post.

Once finalized, there will be a one-year implementation period in which entities can continue to rely on the existing SCCs for contracts entered into prior to the new SCCs going in effect, provided that the contract remains unchanged. However, the parties to the contract still must institute supplementary measures to allow for appropriate safeguards in light of the Schrems II judgment.

A discussion of some of the relevant takeaways from the draft SCCs follows:


Continue Reading Analyzing the Draft Standard Contractual Clauses

Keypoint: In the wake of Schrems II, the EDPB’s much-anticipated recommendations provide extensive guidance on supplementary measures parties can use to legally transfer data out of the EEA in the absence of an adequacy decision.

In a flurry of activity last week, the European Data Protection Board (EDPB) and the European Commission made major announcements affecting cross-border data transfers out of the EEA.

First, the EDPB announced the adoption of draft recommendations on measures that supplement cross-border data transfer tools as well as recommendations on the European Essential Guarantees for surveillance measures. The recommendations were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. The following day, the European Commission published a draft set of new standard contractual clauses. Taken together, these documents will, once finalized, fundamentally change data transfers out of the EEA.

The below post will examine the EDPB’s draft recommendations on supplementary measures. The draft new standard contractual clauses will be discussed in a separate post.


Continue Reading Analyzing the EDPB’s Draft Recommendations on Supplementary Measures

Keypoint: The EDPB’s much-anticipated recommendations will help companies identify the supplementary measures they need to put into place to comply with the CJEU’s Schrems II decision.

Today, the European Data Protection Board (EDPB) announced that it has adopted recommendations on measures that supplement cross-border data transfer tools and recommendations on the European Essential Guarantees for surveillance measures. The recommendations – which are not yet publicly available – were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. Once available, the recommendations will be submitted for public consultation. As is customary, the recommendations are subject to legal, linguistic and formatting checks prior to being published on the EDPB’s website.


Continue Reading EDPB Announces Recommendations on Schrems II Supplementary Measures

Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.

In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.

Although the other topics bear close consideration, the Guidelines’ analysis of the relationship between controller and processors – in particular, its discussion of Article 28 data processing agreements (DPAs) – should be closely examined by entities using DPAs. This is particularly true given the intense focus on DPAs in the context of international data transfers post Schrems II.

In the below analysis, we first provide a brief background on Article 28 and then discuss its requirements in further detail in the context of the EDPB’s guidance. In summary, the EDBP’s Guidelines require entities to conduct a thorough and considered analysis of these relationships and not simply use boilerplate DPAs.


Continue Reading Analyzing the EDPB’s Guidelines on Article 28 Data Processing Agreements

The fallout from the Schrems II judgment continued on Tuesday with an announcement from Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) that the Swiss-US Privacy Shield regime “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”

Continue Reading Switzerland’s DPA Concludes that Swiss-US Privacy Shield Does Not Provide Adequate Level of Protection