Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.

In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.

Although the other topics bear close consideration, the Guidelines’ analysis of the relationship between controller and processors – in particular, its discussion of Article 28 data processing agreements (DPAs) – should be closely examined by entities using DPAs. This is particularly true given the intense focus on DPAs in the context of international data transfers post Schrems II.

In the below analysis, we first provide a brief background on Article 28 and then discuss its requirements in further detail in the context of the EDPB’s guidance. In summary, the EDBP’s Guidelines require entities to conduct a thorough and considered analysis of these relationships and not simply use boilerplate DPAs.


Continue Reading Analyzing the EDPB’s Guidelines on Article 28 Data Processing Agreements

The fallout from the Schrems II judgment continued on Tuesday with an announcement from Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) that the Swiss-US Privacy Shield regime “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”

Continue Reading Switzerland’s DPA Concludes that Swiss-US Privacy Shield Does Not Provide Adequate Level of Protection

Keypoint: Representatives of the European Commission and EDPB advised that further guidance on cross-borders data transfers are forthcoming.

Last week, Didier Reynders, European Commissioner for Justice, and Dr. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), appeared at a hearing conducted by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and updated committee members on their work since the Schrems II decision.


Continue Reading European Commission and EDPB Provide Update on Efforts to Address Cross-Border Transfers After Schrems II

Keypoint: The EDPB’s FAQs resolve some open questions, such as whether there will be a grace period for companies relying on Privacy Shield, but raise other questions, such as what “supplementary measures” companies need to put in place to use Standard Contractual Clauses and Binding Corporate Rules.

In the wake of the Court of Justice of the European Union’s Schrems II judgment, on July 23, 2020, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment.


Continue Reading EDPB Issues Guidance for Cross-Border Data Transfers in Wake of Schrems II Judgment

Over the past few months, there have been numerous developments in state, federal and international privacy law. On Wednesday, August 5, 2020, from 12:00 – 1:00 C.T. members of Husch Blackwell’s privacy and data security practice group will present a webinar providing an overview of the rapidly changing privacy law landscape.  Click here for more

In a ground-breaking opinion issued today, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Decision as a method for transferring personal data from the EU to the US. In short, the Decision was invalidated over Privacy Shield’s failure to adequately address US government surveillance activities.

Conversely, the Court upheld the use of standard contractual clauses for transfers of personal data to third countries but emphasized that the parties are under an obligation to ensure that the laws in the recipient country are sufficient.  Specifically, the Court held that GDPR Article 46(1) and 46(2)(6) “must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed” in European law.


Continue Reading CJEU Invalidates EU-U.S. Privacy Shield; Upholds Standard Contractual Clauses

On Monday, the Chair of the European Data Protection Board (EDPB) issued a statement on the processing of personal data in the context of the COVID-19 outbreak. In that statement, the Chair acknowledged that although the EU General Data Protection Regulation (GDPR) provides broad and comprehensive privacy rights to individuals, it does have mechanisms in