The European Data Protection Board has issued draft guidelines on the interplay between Art 3.2 and Chapter V of GDPR. And they also have finally defined the term “transfer.”

Here are some key takeaways:

  • You must comply with the provisions of Chapter V GDPR, including the Schrems II assessment and supplemental measures, even when the recipient is subject to GDPR under Art 3.2.
  • Regardless of whether the processing takes place in the EU or not, controllers and processors always have to comply with all relevant provisions of the GDPR, such as Article 32.
  • When a controller or processor who is subject to GDPR (seemingly even if outside the EU themselves) sends personal data or makes it available to a non EU recipient, even if such recipient is subject to GDPR under Art 3.2, this constitutes a transfer for the purpose of Chapter V.
  • If an individual in the EU, directly and on his/her own initiative sends personal data to a non EU recipient, wait for it, THIS. IS. NOT A. TRANSFER.
  • A transfer may occur where a processor sends data to another processor or even to a controller as instructed by its controller. (eg in the so called ‘reverse transfers.’)
  • In order to qualify as a transfer, there must be a controller or processor disclosing the data (the exporter) and a different controller or processor receiving or being given access to the data (the importer).
  • Remote access by an employee of a company when traveling is not a transfer.
  • Data disclosures between entities belonging to the same corporate group (intra-group data disclosures) may constitute transfer of personal data.
  • Although a certain data flow may not qualify as a “transfer” to a third country in accordance with Chapter V of the GDPR, a controller is nonetheless accountable for all processing that it controls, regardless of where it takes place, and data processing in third countries may involve risks (for example, due to conflicting national laws or government access in a third country, as well as difficulties to enforce and obtain redress against entities outside the EU), which need to be identified and handled (mitigated or eliminated, depending on the circumstances) in order for such processing to be lawful under the GDPR.
  • Controllers should, in accordance with their Art 32 obligations, decide whether the non-EU processing is possible.
  • A new transfer method should be developed which needs to account for the fact that the recipient is already subject to GDPR and therefore include fewer obligations in order not to duplicate the GDPR obligations. Rather, the tool should address the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU.

Helen Dixon, Ireland’s Data Protection Commissioner, gave the keynote speech during the closing session of the International Association of Privacy Professionals’ Data Protection Congress in Brussels.

Here are a few of the key takeaways.

  • No jurisdiction has all the answers to the challenges posed by the complex digital environment. We need to learn.
  • Ubiquitous is an insufficient word to describe the importance of personal data in our lives.
  • All or us in data protection need to be forthright about calling out the consequences of GDPR that are detrimental to people.
  • Courts in other jurisdictions are not inclined to give remedies for de minimis damages.
  • The expansionist application of GDPR can be balanced by looking again at the priorities of GDPR and reallocating resources of supervisory authorities.

A client requests that you conduct a TIA for data transfers to a US cloud service provider who will (gasp) access the data in the clear.

Do you:

  1. run away and leave a cartoon-like cloud of dust
  2. take their money and laugh
  3. take their money and cry or
  4. other

It was a pleasure to participate in the “#cryandpray: Schrems II transfers IRL” roundtable at the International Association of Privacy Professionals’ Data Protection Congress in Brussels.

We covered several topics, including:

  • How are multinational based in the US approaching cross border transfers of HR data?
  • Will the UK initiative move the needle in the EU, with respect to either: helpful third country assessment information or generally re: risk based?
  • What methodology are companies using for TIAs and risk assessment?
  • How are they approaching TIAs for sub processors and sub sub processors until we reach Middle Earth?
  • Is there anything concrete we can do besides swipe the waterproof mascara and cry and pray?

I had the pleasure of speaking during the Restaurant Technology Network Town Hall about a variety of privacy issues confronting restaurants and food delivery apps, including CCPA, CPRA, CDPA and CPA.

Here are some of my key points:

  • If you are using biometrics for food ordering, payment or authentication , it is best to pause and consider whether you need a notice and consent for this. A new New York law requires prominent signage and the existing Illinois BIPA requires notice and consent and has been litigated heavily.
  • Food delivery applications delivering in NYC are now required to share order information with the restaurant, unless the customer opts out of this sharing. They also need to provide conspicuous notice of the sharing. The restaurants themselves are also limited in how they share the information without consent.
  • If your service utilizes drivers for delivery and pick up and you track them, make sure that you are giving them disclosure of this, do a risk assessment of real time tracking and limit the access permissions to the drivers’ whereabouts to those who really need it. Be mindful of profiling.

Article 23 GDPR gives member states the ability to impose exceptions on some rights and principles under GDPR.

What does that mean? The European Data Protection Board has issued an opinion on the scope of these derogations, and I have written an article breaking it all down.

Some general principles:

  • Any restriction shall respect the essence of the right that is being restricted. This means that restrictions that are extensive and intrusive to the extent that they void a fundamental right of its basic content and cannot be justified
  • A general exclusion of data subjects’ rights with regard to all or specific data processing operations or with regard to specific controllers would not respect the essence of the fundamental right to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the European Union.

Read my article here.

U.S. Representative Cathy McMorris Rodgers, the Republican leader of the House Energy and Commerce Committee, and U.S. Representative Gus Bilirakis, the Republican leader for the Consumer Protection and Commerce Subcommittee, have submitted the “Control Our Data Act” bill.

Here are some key points:

  • Required privacy disclosure, which also needs to include a summary
  • Required notice at collection
  • Consumer rights including: confirmation (that there is data), access (but information only, not specific pieces), correction, deletion, objection to the use of sensitive information
  • Prior express, separate consent for processing of sensitive information
  • Processing of personal information only allowed if one of 5 justifications (similar to the GDPR legal bases) is found
  • Retention limitation- retain only for as long as necessary for the purpose
  • Privacy by design
  • Required risk assessment (DPIA)
  • Requirements for contracts for third party sharing
  • Required measures for information security
  • Data brokers: requirement for privacy notices, periodic audits and central registry
  • FTC to issue regulations and guidance
  • FTC to conduct a study to determine the most effective method of communicating common privacy practices in short-form privacy statements, graphic icons, or other means
  • Enforcement by the FTC with enhanced penalties

Read a draft of the bill here.

Datatilsynet Denmark has issued new guidance on the supervision of data processors.

The guide proposes a scoring system that depends on the nature of the data and of the processing. It also includes six alternative supervision systems that could be used depending on your result.

Concept 1: Do not do anything unless you are aware that something is wrong with the data processor

Concept 2: The data processor confirms, preferably in writing – that all requirements in the data processing agreement are complied with.

Concept 3: The data processor provides you annually – either directly or through its website – with a written status of matters covered by the Data Processor Agreement and other relevant areas (eg organizational or product changes).

Concept 4: The data processor has a relevant and updated certification or follows a so called code of conduct that is relevant to your processing activities

Concept 5: An independent third party has conducted documented supervision of the data processor in an area that also covers your processing activities.

Concept 6: You carry out a documented inspection of the data processor yourself – or together with others.

For a deeper dive, you can read my article here.


The U.K.’s Information Commissioner’s Office (ICO) has responded to the U.K.’s Department for Digital, Culture, Media and Sport’s (DCMS) “Data: Unlimited” initiative.

There is a lot to unpack. Here is an analysis I wrote for OneTrust DataGuidance that may be helpful.

Key points:

  • The current approach does not work for people or businesses and commitment to improving this is welcomed.
  • The proposal to increase fines that can be imposed under PECR (which governs direct marketing) so they are the same level as those under the UK GDPR is welcomed.
  • There are deep concerns about any clarification or changes to the data protection regime that removed the centrality of fairness in how people’s data is used.
  • There are concerns about the proposal to remove the right to a human review of automated decision-making set out in Article 22 of the UK GDPR.
  • The Government’s ambition to increase flows of data safely across jurisdictions, and the proposal to approach adequacy assessments with a focus on risk-based decision-making and outcomes is welcomed. It is important that the approach continues to ensure our existing high standards are maintained.

While presenting this week at the DRI Cybersecurity and Data Privacy Virtual Seminar, I outlined many of the issues currently impacting data security around the world.

Here are some key points:

  • Cookies are a thing. They are getting enforced in the EU by the Commission Nationale de l’Informatique et des Libertés, Agencia Española de Protección de Datos and by It is important you check your website tracking; check your cookie disclosure; check your cookie management platform.
  • Cookies are a thing in the US too. The California Department of Justice has indicated this is a priority. “Do not sell” as it relates to cookies was included in the Attorney General’s recent enforcement report.
  • Schrems II is a reason for US-based providers and multinational companies to try to find pragmatic risk-based solutions. The European Data Protection Board guidance did not leave much room for maneuver, but did re-insert some risk-based approach pertaining to the specifics of each transfer.
  • Ireland’s Data Protection Commission decision on WhatsApp reveals that transparency is key and privacy notices need to be accurate, simple, easy to understand and not consist of endless scrolls and multiple documents. This is reiterated in the California Attorney Genera’s report, as well as in the recent Federal Trade Commission’s report on ISPs.
  • The DPC decision on Facebook may open up a new direction and breadth for the GDPR legal basis on contractual necessity. What is necessary for the performance of the contract? Is it impossibility or whatever has been made clear for the “bargained for exchange?”

The Credit Bureau Association of South Africa has issued a code of conduct for the processing of credit information under the Protection of Personal Information Act, No.4 of 2013 (POPIA).

Here is an analysis I wrote for OneTrust DataGuidance, which may be helpful for GDPR, CPRA, CPA and CDPA.

Key points:

  • Purpose limitation: Personal information which is processed for credit purposes will not be further processed in a manner that is incompatible with the original purpose for processing. The issues of compatibility between direct marketing and credit rating were also recently raised by a complaint filed by
  • Disclosure: Provide detailed privacy disclosure.
  • Data Subject rights must be honored.
  • Security safeguards and accountability program.

The code also distinguishes between the obligation of the credit bureau when collecting directly from individuals or as an operator (processor) for a credit provider.