General Data Protection Regulation (GDPR)

Norway’s Datatilsynet issues detailed FAQ’s on #SchremsII:

Notable takeaways:

“[T]he additional measures…could potentially be…legal, technical or organizational measures. At present…there is great uncertainty about what kind of additional measures may be sufficient if the third country has laws that take precedence over…or otherwise lower the level of protection. This means that at present it is

  • The Bailiwick of Guernsey’s Office of Data Protection Authority has stated its position on #SchremsII: You must invest resources into ensuring appropriate safeguards are in place.
  • Identify if you have been relying on the EU-U.S. Privacy Shield for data transfers. Check the terms of service, contracts or privacy statements for all third parties you

Germany’s  Datenschutzkonferenz (DSK) issues its guidance on Shrems II:

  • The transfer of personal data to the United States based on Privacy Shield is not permitted and must be discontinued immediately.
  • Standard contractual clauses can continue to be used, but, depending on the result of the assessment of the data exporter, additional measures may be required.

The UK’s Information Commissioner Office’s has issued a revised statement on the Schrems II.

“Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance

The International Association of Privacy Professionals (IAPP) explains the nexus of Schrems II, Privacy Shield and Brexit.

“While the adequacy assessment for the U.K. is currently underway, a U.K. adequacy finding is by no means a given. Given that the EU-U.S. Privacy Shield appears to have been invalidated primarily because of concerns about U.S. law

The European Data Protection Board has issued its much anticipated FAQs on what the Court of Justice of the European Union’s decision in Schrems II means for cross-border data transfers.

There is still no word on the “supplementary measures” that companies will need to implement on top of Standard Contract Clauses and Binding Corporate Rules

In a landmark decision in what is popularly known as the “Schrems II” case, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield, the framework that facilitated the transfers of personal data from the European Union to the United States for thousands of companies. The court cited the breadth of National

After a number of data protection authorities issued statements demonstrating differing approaches to cross-border transfers to the U.S. in the wake of the Court of Justice of the European Union’s decision in Schrems II (e.g. several of the German DPAs), the Spanish data protection authority Agencia Española Proteción Datos (AEPD) stressed the importance of a

“The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States