Norway’s Datatilsynet issues detailed FAQ’s on #SchremsII:

Notable takeaways:

“[T]he additional measures…could potentially be…legal, technical or organizational measures. At present…there is great uncertainty about what kind of additional measures may be sufficient if the third country has laws that take precedence over…or otherwise lower the level of protection. This means that at present it is very challenging to transfer personal data to such third countries, and in practice it will probably not be possible for most people to do so. EDPB is working to investigate what ‘further measures’ may entail.”

“Many may have difficulty doing what is necessary to make a transfer to a third country legal, for example because

  • You do not have a valid transfer basis in place
  • You lack the resources or expertise to carry out the necessary assessments
  • You believe the outcome of the assessments requires additional measures, but don’t know which additional measures are sufficient

In such cases, it is illegal to transfer personal data to unauthorized third countries.”

Read the full text of the FAQ.

  • The Bailiwick of Guernsey’s Office of Data Protection Authority has stated its position on #SchremsII: You must invest resources into ensuring appropriate safeguards are in place.
  • Identify if you have been relying on the EU-U.S. Privacy Shield for data transfers. Check the terms of service, contracts or privacy statements for all third parties you may use to process your data including ubiquitous social networks, mailing providers; event registration providers, collaboration software.
  • If you have been relying on Privacy Shield you must work towards an alternative.
  • If you are relying on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), you must comprehensively review them and ensure they accurately reflect detailed consideration of risks and safeguards.
  • It is clear that relying on “derogations”’ in light of this judgement is no longer a straightforward matter and reliance upon any mechanisms cannot be a paper exercise.
  • While this judgement does not prohibit data transfers outside of the European Economic Area and adequate jurisdictions, you do need to carefully review your position and invest resources into ensuring appropriate safeguards are in place.

EU/US Privacy Shield data transfers invalid

Senate Bill 8450C, or An Act to Amend the Public Health Law in relation to the Confidentiality of Contact Tracing Information, passed the New York State Senate and Assembly and will be delivered to the governor’s office for signature.

The bill requires that information collected for COVID-19 contact tracing be kept confidential and not be disclosed other than as necessary to carry out contact tracing or a permitted purpose.

Interestingly, the bill adopts the California Consumer Privacy Act (CCPA) approach to the definition of “de-identified information” and defines it as: “the information cannot identify or be made to identify or be associated with a particular individual, directly or indirectly and is subject to technical safeguards and policies and procedures that prevent re-identification, whether intentionally or unintentionally, of any individual.”

Read the full text of the legislation.

Germany’s  Datenschutzkonferenz (DSK) issues its guidance on Shrems II:

  • The transfer of personal data to the United States based on Privacy Shield is not permitted and must be discontinued immediately.
  • Standard contractual clauses can continue to be used, but, depending on the result of the assessment of the data exporter, additional measures may be required. (This is different from the position expressed by the Berlin DPA.)
  • The DSK does not list the supplementary measures.
  • The requirement for assessment / supplementary measures applies to BCRs as well.
  • Transfers pursuant to Art. 49 derogations are permissible provided that the conditions of Art. 49 are met. The DSK refers readers to the European Data Protection Board guidance on this.
  • The European Court of Justice did not provide any grace period on enforcement.
  • The German supervisory authorities will coordinate their actions with their colleagues in the European Data Protection Board and will also advise on more specific issues in the future.
  • The DSK supports the position of the European Data Protection Board as expressed in the FAQs recently published by it.

Read the full DSK guidance.

Cookies and trackers sat on a wall.
Cookies and trackers had a great fall.
…and all the regulators and all DPAs couldn’t put cookies together again.

The Spanish Agencia Española de Protección de Datos AEPD has issued a revised guidance on cookies and trackers under the EU eprivacy regime, updated to account for the consent guidelines issued by the European Data Protection Board.

Per the guidance:

  • The option to “continue browsing” does not constitute, under any circumstances, a valid way of giving consent.
  • So-called “cookie walls” that do not offer an alternative to consent may not be used.

This comes on the heels of a decision by the French Conseil d’etat invalidating a similar guidance by French CNIL.

Read the full guidance from the AEPD.

The UK’s Information Commissioner Office’s has issued a revised statement on the Schrems II.

“Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available”.

“The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.”

” We are … taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.”

” The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.”

Read the full statement.

Will the Coronavirus pandemic provide the push needed for a U.S. Federal Privacy law?

“The leaders of the House subcommittee responsible for drafting Federal privacy legislation agree about the need to resume working together in order to pass a national standard, while the panel’s top Republican called for clarity on liability protections.”

“Although the pandemic broke the rhythm of our talks,” said Rep. Cathy McMorris Rodgers, R-Wash., “it has made the need for a strong national privacy standard more urgent.”

“Data privacy is the most fundamental consumer protection we could advance, and we should right now be working together,” said McMorris Rodgers.

“If we don’t act now and work together, I fear a few more years will slip away before we see real action,” said McMorris Rodgers. “It has never been more important that we set a national standard.”

Details from Meritalk

The New York State Senate has approved a measure that would protect the privacy of contact tracing data.

“The NY state Senate approved a measure (S.8450C/A.10500C) that would keep contact tracing information confidential and ensure it is only used for tracing efforts.”

“All private contractors hired for contact tracing would be required to dispose of the information, deliver it to governmental contact tracing entities, or de-identify information in their possession within 30 days of receiving it, under the measure. Those steps can be postponed for up to 15 days if contractors are still actively engaged in contact tracing.”

“The measure would authorize the disclosure, possession, or use of contact tracing information that has been de-identified, for public health and research purposes.”

“Law enforcement and immigration authorities, including federal agencies, would not have access to the information except in certain circumstances.”

“The bill also directs the state and New York City health commissioners to create regulations on technical safeguards for the storage, transmission, and use of the data”

Details from Bloomberg Law.

The International Association of Privacy Professionals (IAPP) explains the nexus of Schrems II, Privacy Shield and Brexit.

“While the adequacy assessment for the U.K. is currently underway, a U.K. adequacy finding is by no means a given. Given that the EU-U.S. Privacy Shield appears to have been invalidated primarily because of concerns about U.S. law and practice on government surveillance, similar arguments could be made in relation to the U.K. adequacy assessment. This is particularly so in view of the broad powers of the U.K. authorities to intercept communications and require access to data under the Investigatory Powers Act 2016.”

Details from the IAPP.

The European Data Protection Board has issued its much anticipated FAQs on what the Court of Justice of the European Union’s decision in Schrems II means for cross-border data transfers.

There is still no word on the “supplementary measures” that companies will need to implement on top of Standard Contract Clauses and Binding Corporate Rules for transfers to third countries without an adequate level of protection, such as the United States, but it contains some guidance on the framework of the discussion and how data exporters should start thinking about this issue.

Details in this client alert.