June Data Wrap: A snapshot of key regulatory developments

11 July 2023

A sneaky entry into the June data wrap given that it was actually announced on Monday 10 July, but the European Commission (the “Commission“) has now adopted its adequacy decision for the EU-US Data Privacy Framework (the “Framework“). The decision means that personal data can now freely flow to organisations participating in the Framework without the need for transfer impact assessments or standard contractual clauses.

In its press release, Commission explained that the Framework introduces new binding safeguards to address concerns raised by the European Court of Justice (“CJEU“) in the Schrems II case which invalidated the previous US adequacy decision (the EU-US Privacy Shield). However, Max Schrems and his non-profit organisation NOYB have already publicly stated that they have prepared the paperwork to help challenge the new regime and bring it before the CJEU for a third time. Their view is that the new Framework is largely a copy of the previous EU-US Privacy Shield and that it fails to address the fundamental issues raised in the Schrems II case.

However, the process involved for legal challenges such as NOYB’s potential case is rarely quick and, many organisations struggling with compliance in the aftermath of the Schrems II ruling will be relieved that an alternative mechanism is available to rely on for US data transfers in the meantime. Of note, the adequacy decision has a built-in review mechanism with the first review by the Commission due to take place in one year.

It is expected that there will be a transition period for organisations who remained registered under the Privacy Shield, and new applicants will need to go through a different process during which US organisations will apply to participate in the Framework. The Framework will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements. The US Federal Trade Commission will be responsible for enforcing US companies ‘ compliance with their obligations under the EU-US Data Privacy Framework.

A more detailed review of the Framework will follow on HSF Data Notes.

Following UK Prime Minister Rishi Sunak’s visit to the US to launch the ‘Atlantic Declaration’ which is intended to create an economic partnership between the two nations, the UK Secretary of State for Science, Innovation and Technology and their US counterpart announced that they have committed in principle to establish a data bridge between the UK and the US (“Data Bridge“). The Data Bridge would act as a UK extension to the EU-US Data Privacy Framework and facilitate data flows between the two countries, speeding up an established relationship of transfers which are currently burdened with costly contract clauses for US participants. By relieving some of the red-tape duties placed upon American organisations, the Government hopes to speed up processes and reduce costs for UK entities engaging in business with US firms.

It is expected that, following the adoption of the EU’s adequacy decision in the form of the EU-UK Data Privacy Framework, the UK position will gather pace.

The European Council and European Parliament have reached an agreement on the proposed Data Act for fair access to and use of non-personal data. According to the Council’s press release, the proposed regulation will allow users of connected devices, ranging from smart home appliances to smart industrial machinery, to gain access to data generated by their use which is currently harvested exclusively by manufacturers and service providers. It will also provide the means for public sector bodies to access and use data held by the private sector that is necessary in exceptional circumstances, particularly in cases of public emergency. Finally, the agreement clarifies the interplay between the Data Act and other legislation, such as the GDPR.

The text will now undergo legal-linguistic review with an unofficial version expected mid-July and the final version formally adopted in September according to Global Data Review. Once adopted, the Data Act will enter into force on the 20^th day following its publication in the EU’s Official Journal and will apply after a 20-month grace period, which is expected to end at some point in 2025.

A more detailed review of the Data Act will follow on HSF Data Notes.

On 14 June 2023, the European Parliament adopted its negotiating position on the EU AI Act.

The proposed rules follow a risk-based approach and establish obligations for developers and those deploying AI systems depending on the level of risk the AI can generate. AI systems with an unacceptable level of risk to people’s safety would be prohibited. The European Parliament expanded the list to include bans on intrusive and discriminatory uses of AI, such as untargeted scraping of facial images from the internet to create facial recognition databases.

Providers of foundation models would have to assess and mitigate possible risks (to health, safety, fundamental rights, the environment, democracy and rule of law) and register their models in the EU database before their release into the EU market. Generative AI systems based on such models, like ChatGPT, would have to comply with transparency requirements (disclosing that the content was AI-generated, also helping distinguish so-called deep-fake images from real ones) and ensure safeguards against generating illegal content.

Trialogue negotiations with the European Council have now started and we expect key areas for debate to initially include the definitions of both AI and high-risk use cases, as well as discussion around conformity assessments. For more information about the proposed EU AI Act, see our Techquake article here and a more detailed review of the path to finalising the EU AI Act will follow on HSF Data Notes

The EDPB have published their finalised guidance on the calculation of GDPR fines (the “Guidance”) following an earlier public consultation.

The Guidance sets out a 5-step methodology, taking into account: (i) the instance (or instances) of sanctionable conduct; (ii) the starting point for the calculation of the fine; (iii) any aggravating or mitigating factors; (iv) the relevant legal maximums for fines as set out in the GDPR; and (v) satisfaction of the requirements of effectiveness, dissuasiveness and proportionality.

The Guidance also sets out considerations relating to the overall turnover of the undertaking when looking to impose an effective, dissuasive and proportionate fine. Supervisory authorities are expected to tailor the amounts within the range available in the guidance up until the legal maximum. For example, for undertakings with an annual turnover of €50 million up until €100 million, supervisory authorities may consider to proceed calculations on the basis of a sum between 8% and 20% of the identified starting amount. As a general rule, the higher the turnover of the undertaking within its applicable tier, the higher the starting amount is likely to be.

On 19 June 2023, the ICO published new guidance (the “Guidance“) on privacy-enhancing technologies (“PETs“) which has been drafted to help organisations better understand how to use the technology. In particular, the Guidance covers how PETs can be used to help organisations comply with data protection requirements, including the data minimisation principle and ‘data protection by design and default’.

The Guidance is aimed at two types of reader, with the first section addressing points of interest for individuals that oversee data protection in large companies, including data protection officers, and the second section catering to a more technical readership, including those managing large personal data sets in finance, healthcare and government.

The following types of PETs, their functionality and associated risks are examined in detail from a technical perspective: (i) Differential privacy; (ii) Synthetic data; (iii) Homomorphic encryption; (iv) Zero-knowledge proofs; (v) Trusted execution environments; (vi) Secure multiparty computation; (vii) Private set intersection; and (viii) Federated learning.

Key Contacts

Miriam Everett

Partner

+44 20 7466 2378

Claire Wiseman

Professional Support Lawyer

+44 20 7466 2267

Duc Tran

Of Counsel

+44 20 7466 2954

Angela Chow

Senior Associate

+44 20 7466 2853

Katie Reid

Paralegal, London

+44 20 7466 2962

March Data Wrap: A snapshot of key regulatory developments

12 April 2023

March saw the UK Government recommence its efforts to reform the UK data regime by introducing the aptly named “Data Protection and Digital Information Bill (No.2)” to Parliament on 8 March 2023. The second draft bill supersedes the original version that was paused in September to allow ministers to rethink their approach and engage in a co-design process with businesses, promising a more “tailored”, “truly bespoke” and “business friendly” British system of data protection. Despite ministers hinting that significant amendments would be made to the draft text, the second draft bill largely serves to fine tune and clarify a number of the proposed amendments set out in the first draft bill to existing UK data protection laws. Refer to our blog here for further details of the changes proposed in the second draft.

March also saw a flurry of activity at the UK and EU levels around AI-specific regulation. The Department for Science, Innovation and Technology (“DSIT“) published its long awaited white paper on the UK’s approach to regulating AI technologies. Against the backdrop of a pro-innovation Spring Budget 2023, the proposals in the AI regulation white paper aim to help create the “right environment for artificial intelligence to flourish safely in the UK”, taking an “adaptable approach” to future proof regulation by empowering existing regulators to tailor context-specific and sector-led approaches in line with five common principles. The government intends to avoid introducing both a new single regulator for AI governance or heavy-handed legislation, an approach that is distinct from the European Commission’s comprehensive centralised legislative framework in the draft EU AI Act which is set to undergo a vote by the European Parliament’s IMCO (Internal Market and Consumer Protection) and LIBE committees towards the end of April.

In parallel the UK ICO updated its “Guidance on AI and Data Protection” in response to industry feedback, to keep pace with new challenges and opportunities presented by AI and underpin the ICO’s commitment as part of its ICO25 strategic plan – areas of interest include new chapters / additions on transparency in AI, assessments in DPIAs, ensuring fairness in AI and lawfulness in AI. The Italian data supervisory authority – Garante – also introduced a temporary ban on chatbot, ChatGPT, and launched an investigation into its provider, OpenAI, for suspected breaches of the EU GDPR and failing to implement age verification systems.

The EU has continued to progress the regulation of data beyond just “personal data”. The European Commission’s proposed EU Data Act aims to establish a harmonised cross-sectoral governance framework to make it easier for business to access and use non-personal data – this has potential to fundamentally change the environment for data-driven business models in the EU, including where data is used for AI purposes. During March 2023 the European Parliament plenary session adopted its position on the proposed EU Data Act, including additions intended to give individuals greater control over their non-personal data and to incentivise data-sharing. Other additions by the European Parliament include strengthening protections to stop organisations using accessed data to retro-engineer competitors’ products and putting stricter conditions on data that governments are entitled to request from organisations.

The European Council (comprising each of the member states) also adopted its position on the Data Act shortly after, setting out various changes in its negotiating mandate as well, including around the interaction between the proposed Data Act and existing data protection law, and the rules on switching between data processing services such as cloud computing services. Trilogue negotiations between the European Parliament, the European Council and the European Commission (the latter will be consulted) are now set to begin in the coming weeks.

The European Commission is planning to make cross-border enforcement of the EU GDPR more efficient, including harmonising aspects of the administrative procedure that data protection authorities apply across the EU when enforcing the EU GDPR in cross-border cases. Inconsistencies and lack of harmonisation across member states in the one-stop-shop process are thought to have been an issue for quite some time and the European Commission intends to support smoother functioning of the GDPR cooperation and dispute resolution mechanisms. The Commission’s proposal is expected to be published in Q2 2023 and is in response to a proposed “one-stop-shop” reform that the European Data Protection Board (“EDPB“) sent to the Commission in October 2022. It also follows a call for views which the Commission launched in February 2023 following receipt of the EDPB’s proposal.

In the latest twist in the replacement international data transfer framework between the EU and US, the EDPB has raised concerns with the European Commission’s draft EU-US Data Privacy Framework (DPF) adequacy decision published in December 2022. The draft DPF is intended to replace the EU – US Privacy Shield, which was invalidated by the Court of Justice of the EU (CJEU) in the so-called “Schrems II” ruling (refer to our blog here). In a non-binding opinion recently issued by the EDPB, it welcomes “substantial improvements” such as requirements around the principles of necessity and proportionality for US intelligence gathering of data and a new redress mechanism for EU data subjects. However, concerns remain and the EDPB requests clarification on several points as well, including certain rights of data subjects, onwards transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism.

The EDPB also requests that both the entry into force and adoption of the adequacy decision are conditional on US intelligence agencies adopting updated policies and procedures to implement Executive Order 14086, commitments made by US President Joe Biden last year in part to address concerns raised in the “Schrems II” ruling (refer to our blog here). A committee of member state representatives now needs to give its opinion on the DPF before the Commission can adopt the framework – while the EDPB’s opinion is not binding, it is expected to influence this process. The European Parliament LIBE Committee also rejected the adequacy decision in February 2023 on the basis that it fails to create equivalence and urged the Commission to only adopt a decision after meaningful US reforms. Refer to our blog here for further details on the background to the EU – US Data Protection Framework.

Remaining on the international data transfer theme, the Cyberspace Administration of China has officially released its long-awaited, final version of the Standard Contract for outbound cross-border transfer of personal data. This is one of three permitted mechanisms for transferring personal data outside of China and is expected to be the most frequently used – being the least complicated mechanism with the lowest cost of compliance. The Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Data and the final version of the Standard Contract will come into force on 1 June 2023 and their contents remain largely consistent with the June 2022 consultation drafts but with some important variations. There are also still a number of areas that require clarification. Refer to our blog here for further details of criteria for when the standard contract can be used for international data transfers and areas requiring further clarification.

Miriam Everett

Partner

+44 20 7466 2378

Claire Wiseman

Professional Support Lawyer

+44 20 7466 2267

Duc Tran

Of Counsel

+44 20 7466 2954

Angela Chow

Senior Associate, London

+44 20 7466 2853

President Biden’s Executive Order implements EU-US data privacy framework

12 October 2022

President Biden recently issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Privacy EO) outlining steps that the US Government is taking to implement the US commitments under the European Union-US Data Privacy Framework (the Privacy Framework) that the US and the European Commission (EC) announced in March 2022 to address concerns previously raised by the Court of Justice of the European Union when it invalidated the 2016 EU-US Privacy Shield regime via the 2020 Schrems II ruling (please see our previous blog post on the Privacy Framework here). Although the EU-US Privacy Shield was designed with the EU’s 2018 General Data Protection Regulation (GDPR) in mind, the court in Schrems II held that the Privacy Shield was inadequate to meet GDPR data privacy standards. Since Schrems II, companies transferring data between the EU and US have had to rely upon case-by-case assessments and standard contractual clauses (SCCs). The Privacy EO is designed to address the concerns identified in Schrems II, given the significant economic value of trans-Atlantic data exchanges.

Among other items, Schrems II highlighted (i) the lack of binding safeguards in place under US law to limit the access to personal data by US intelligence agencies to only data which is necessary and proportionate to protect national security, and (ii) the lack of an effective means for redress to replace the “Ombudsman” under the EU-US Privacy Shield. In summary, the Privacy EO addresses both of these points:

It strengthens US privacy safeguards and sets parameters around US “signals intelligence” activities, which refer to the US intelligence community’s collection and analysis of foreign (non-US) electronic, digital and related communications and data. Notably, the Privacy EO requires collection to be “necessary” and “proportionate” to US national security needs, see Privacy EO § 2(a)(ii)(A), (B), which differs from the “reasonableness” standard under the EU-US Privacy Shield.
The Privacy EO also creates a tiered redress mechanism to review privacy-related complaints concerning US signals intelligence activities. In response to the Privacy EO, the EC announced it would begin preparation of a draft “adequacy” decision and commence its adoption procedures, which could result in a final adequacy decision around March 2023, while also noting that in the EC’s view the Privacy EO would implement “significant improvements” over the Privacy Shield, particularly in respect of avenues to address privacy concerns about US collection activities. As of this writing, the European Commission has recognized 14 countries as providing an adequate level of data protection for purposes of the GDPR.

The following provides a brief overview of certain requirements that the Privacy EO imposes on the US intelligence community:

Additional safeguards. The Privacy EO requires that signals intelligence activities must be authorized by and undertaken in accordance with US law or Presidential directive, which will “ensure that privacy and civil liberties are integral considerations in the planning and implementation of such activities.” Intelligence gathering may be conducted only in pursuit of 12 “legitimate objectives,” which are defined to include (among various matters) understanding the capabilities, intentions, or activities of a foreign government, a foreign military or a foreign organization (including criminal or terrorist organizations) in order to protect US national security and US allies and partners, as well as guarding against cybersecurity threats. Signals intelligence activities may be conducted only in a manner “that is proportionate to the validated intelligence priority for which they have been authorized.” Among other activities expressly prohibited by the Privacy EO (and as noted in an accompanying White House fact sheet) is the collection of “foreign private commercial information or trade secrets to afford a competitive advantage” to US businesses, although such information may be lawfully collected to protect US or allied national security interests.

Targeted vs. bulk collection. Signals intelligence collection, per the Privacy EO, is to be “as tailored as feasible to advance a validated intelligence priority” and may not disproportionately impact privacy and civil liberties. Targeted collection is the standard, and bulk collection of signals intelligence will not be permitted unless there is a US Government determination that the information necessary to advance a validated intelligence priority “cannot reasonably be obtained by targeted collection.” Even then, bulk collection may be used only to protect against: (i) terrorism and hostage taking; (ii) foreign espionage, sabotage, assassination, or other intelligence activities; (iii) threats from/proliferation of weapons of mass destruction; (iv) foreign cybersecurity threats or malicious cyber activities; (v) threats to US or allied personnel; and (vi) international criminal threats, including from financial crimes and sanctions evasion.

Handling of personal information. US intelligence agencies that collect personal information (PI) via signals intelligence must establish procedures to minimize the dissemination and retention of such PI. Among other restrictions, the Privacy EO limits PI dissemination within the US Government only on a need-to-know basis and only if such information will be “appropriately protected.” Non-US persons’ PI may be retained “only if the retention of comparable information concerning United States persons would be permitted under applicable [US] law,” and foreign PI will be subject to the same retention periods that would apply to comparable information concerning US persons.

Updated signals intelligence policies and procedures. The US intelligence community is directed to update their respective policies and procedures, after consultation with the US Attorney General, the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board, in order to implement the privacy and civil liberties safeguards of the Privacy EO. The policies/procedures are to be published to the extent intelligence and national security factors allow. Among other requirements, US intelligence entities that collect signals intelligence must provide compliance training to all employees that intersect with such intelligence, and must have in place senior-level legal and oversight officials, including an Inspector General and a Privacy and Civil Liberties Officer, to ensure compliance with the Privacy EO and related laws.

Signals intelligence redress mechanism. The Privacy EO creates a two-tiered mechanism to investigate and address complaints that PI collected via US signals intelligence activities was collected or handled by the US Government in violation of US law. At the first level, the CLPO would initially conduct an investigation of the complaint to determine whether US laws were violated, “taking into account both relevant national security interests and applicable privacy protections,” and if so, would determine the “appropriate remediation” for any violation. CLPO determinations are binding on the US intelligence community, subject to a contrary determination by the newly established Data Protection Review Court.

The second redress level involves review by that Data Protection Review Court (DPRC). Shortly after the Privacy EO issued, and as directed by the Privacy EO, the US Department of Justice issued regulations establishing the DPRC (see 28 C.F.R. Part 201) in a Final Rule published on October 7, 2022 (the DPRC Regulations). The preamble to the DPRC Regulations provides that the DPRC will review determinations made by the CLPO in response to qualifying complaints that allege certain violations of US law in connection with US signals intelligence activities. The DPRC Regulations impose a standard of proof of “substantial evidence,” which is applied by US administrative agencies. It generally represents a lower standard than, for example, the “preponderance of the evidence” standard used in the civil context.

To facilitate independent and impartial review, DPRC judges are not subject to the day-to-day supervision of the US Attorney General, and have certain protections against removal from office. DPRC decisions, including as to remedial measures to be imposed on US intelligence agencies, will be deemed final and binding. To assist the DPRC’s review, the Privacy EO and attendant regulations provide for the selection of a “special advocate” to press the complainant’s interests and make sure that the DPRC panel is “well informed of the issues and the law” with respect to the matter under review.

Finally, the White House issued a National Security Memorandum dated October 7, 2022, which partially revokes Presidential Policy Directive 28 (PPD-28) dated January 17, 2014. The court in Schrems II specifically cited PPD-28 as a key component of its finding that the United States lacked adequate protections, noting that PPD-28 does not create actionable rights for data subjects in US courts and allows for “bulk” data collection.

The US Secretary of Commerce will transmit letters from the relevant US government agencies regarding the operation and enforcement of the Framework and the Privacy EO in the coming weeks and will work with Privacy Shield participants (i.e., the more than 5000 companies currently registered under the EU-US Privacy Shield) to facilitate the transition to the new Framework). A number of additional steps will be required before the Privacy EO and DPRC Regulations are fully implemented, including, but not limited to, an adequacy decision from the EU.

We will continue to monitor developments.

Joseph Falcone

Partner

+1 917 542 7805

Christopher Boyd

Associate

+1 917 542 7821

WHAT WE KNOW SO FAR ABOUT THE NEW TRANS-ATLANTIC DATA PRIVACY FRAMEWORK

20 July 2022

Summary

Following the European Commission’s (“EC”) announcement of the new Trans-Atlantic Data Privacy Framework (the “Framework”) earlier this year, Lawyer and privacy activist Max Schrems’ organisation, NOYB, recently issued an open letter to EU and US officials arguing that the proposed framework is unlikely to withstand legal challenge and overly resembles its predecessor, the now-defunct Privacy Shield.

In this article, we set out what we know about the Framework so far.

Background

The Framework is intended to enable data transfers to be made from the EU to participating US companies in a safe and secure manner, presumably without the need for additional safeguards (e.g. entry into standard contractual clauses (“SCCs“) and the more recent accompanying requirement to conduct transfer impact assessments (“TIAs“)) and in a way that was possible when the Safe Harbour scheme and Privacy Shield were still valid.

By way of a recap, the Safe Harbour scheme allowed US participating companies to self-certify that they adhered to seven key data protection principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and complied with various EU-focussed data privacy requirements. However, in 2015, the Court of Justice for the European Union (“ECJ“) ruled that the US Safe Harbour Scheme was invalid (Schrems v DPC) on the grounds that it did not provide EU citizens with a clear mechanism of redress for data privacy concerns and permitted excessive access by US authorities to the personal data of such EU citizens.

After the Safe Harbour scheme was invalidated, the EC and US Department of Commerce passed the EU-US Privacy Shield, which built upon the Safe Harbour scheme in a number of ways with the aim of improving the level of protection afforded to the personal data of EU citizens. However, following the Schrems II decision in 2020, the Privacy Shield regime was also ruled invalid on the basis of, amongst other things, its failure to limit data surveillance powers by US authorities and to provide data subjects with the means to seek effective judicial remedy before an independent body that could offer guarantees in line with EU law.

What will the new framework include?

The Framework will reportedly build upon the structure of the Privacy Shield regime and will focus on several key principles and actions. The Framework will:

apply new safeguarding measures to ensure that access to data by US intelligence authorities is limited to what is necessary and proportionate and will only be used in pursuit of defined national security objectives (this has, however, been challenged by NOYB, which highlighted the finding in the Schrems I and II judgments that practices under US surveillance laws are rarely limited to what is necessary and proportionate);
establish a two-tier redress mechanism, providing EU citizens with direct remedial measures through a newly established Data Protection Review Court (“DPRC”) to resolve complaints regarding access of data by U.S. intelligence authorities (this has also been challenged by NOYB which contends that this only provides the illusion of redress as US authorities will likely review the DPRC’s decisions and it is unlikely that the US will be required to disclose any surveillance operations which amount to ‘state secrets’, leaving data subjects unaware of these activities and unable to challenge them);
require US intelligence agencies to implement effective procedures to ensure oversight over new privacy and civil liberties standards; and
require organisations that wish to rely on the Framework to legally protect data flows to continue to follow the Privacy Shield principles including by self-certifying their adherence to these principles through the U.S. Department of Commerce.

How does the new framework interact with the current issues surrounding the transfer of personal data to the US in the context of services provided by US tech companies?

The development of the Framework is taking place against the backdrop of a growing number of data protection authorities across the EU ruling (or at the very least warning) against the use of data processing tools operated by large US-based tech companies which involve the transfer of personal data to the US. These rulings were triggered in part by NOYB, who filed the underlying complaint.

These rulings centre around the use of such tools (e.g. web analytics tools) resulting in user data, including device IP addresses, being transferred to the US in the absence of necessary safeguards, with EU data protection authorities finding the protections applied insufficient for the purposes of addressing the requirements of EU data protection legislation. One of the key reasons cited for this is the ability of US intelligence agencies to access transferred personal data under US surveillance laws.

The addition of the requirement to conduct TIAs and obligations on third country recipients of personal data to provide information about government access requests (where legally possible) to the new SCCs should assist organisations with the identification of supplementary measures to address the risks associated with transferring personal data to the US in the course of using these tools (e.g. activation of IP anonymisation features, obtaining consent from users for the use of their data for analytics purposes and making international transfers of their data in a cookie banner). However, putting these measures in place might not serve to fully mitigate the risks associated with transferring personal data to the US in the eyes of EU data protection authorities.

In light of this, a new data transfer framework that addresses these concerns and all of the issues that caused both the Safe Harbour scheme and Privacy Shield regime to be struck down will be a welcome development for US-based tech companies and the extremely broad base of EU-based customers that use their tools.

Conclusion

Currently, the US Government and the EC are working towards translating the proposed Framework into legal documents that can be adopted on both sides. Until the substantive terms of the agreement reached between the US and the EC have been published, there is still a degree of uncertainty as to whether it will sufficiently address issues raised by the Schrems II ruling (and whether NOYB’s concerns are founded) or the concerns expressed by data protection authorities across the EU in relation to the transfer of personal data to the US. As such, it remains to be seen whether this latest EU-US transfer mechanism will amount to an effective data transfer mechanism or whether it will meet the same fate as its predecessors. However, some form of legal challenge in the future seems almost inevitable.

Duc Tran

Of Counsel, London

+44 20 7466 2954

Katie Reid

Paralegal, London

+44 20 7 4662962

Schrems II: Reaction from European Regulators and Technology Companies Suggest an Uncomfortable Road Ahead for Transatlantic Data Transfers

24 July 2020

To recap, last week, the European Court of Justice (“ECJ”) ruled that the Privacy Shield is invalid and placed significant emphasis on the due diligence which exporting controllers, recipients and supervisory authorities are expected to undertake in relation to transfers of personal data to third countries which are governed by the Standard Contractual Clauses (“SCCs”). As foreshadowed in our initial reaction to the Schrems II judgement, and now that we’ve had the benefit of the full judgement and initial commentary from some of the European regulators, the EDPB, and some of the big tech companies, the immediate future of transatlantic data transfers appears to be uncertain and commentary is divided on what is and isn’t possible in light of this new judgement. Continue reading →

Data notes

Tag: privacy shield

March Data Wrap: A snapshot of key regulatory developments

President Biden’s Executive Order implements EU-US data privacy framework

WHAT WE KNOW SO FAR ABOUT THE NEW TRANS-ATLANTIC DATA PRIVACY FRAMEWORK

Schrems II: Reaction from European Regulators and Technology Companies Suggest an Uncomfortable Road Ahead for Transatlantic Data Transfers