On 7 December 2020, the French supervisory authority CNIL (Commission nationale de l’informatique et des libertés, French data protection authority) imposed substantive fines on Amazon and Google for allegedly placing advertising cookies on the computers of users in France without prior consent or providing adequate information. Amazon Europe Core was fined 35 million euros, and […]
European Commission Publishes Draft ‘Article 28’ Standard Contractual Clauses
In addition to issuing new (draft) standard contractual clauses for transferring personal data outside of the EEA, on November 12, the European Commission published a draft decision on standard contractual clauses between controllers and processors (‘Clauses’) for the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679 (“GDPR”). Article 28(3) and (4) […]
EDPB publishes draft guidelines on the concepts of controller and processor
The European Data Protection Board (“EDPB”) has published draft guidelines on the concepts of controller and processor for public consultation. While its predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor (Opinion 1/2010, WP169) back in 2010, many practical concerns have been raised since the entry into force […]
EDPB Guidance on the Schrems II Ruling: An Early Response to the Cry for Clarity
(This blog post summarizes Wim Nauwelaerts’ (Alston & Bird), Early EDPB Guidance in the Wake of Schrems II – Where E.U.-U.S. Data Transfers Are Headed, Cybersecurity Law Report, Aug. 5, 2020) On July 23, 2020, the European Data Protection Board (EDPB) adopted its first set of guidelines on the Schrems II judgment of the Court […]
EDPB clarifies Brexit obligations for holders of Binding Corporate Rules which have the UK ICO as their lead authority
On July 22, 2020, the European Data Protection Board (‘EDPB’) released an information note on Binding Corporate Rules (‘BCRs’), which provides guidance for groups of undertakings/enterprises which have the UK ICO as their competent supervisory authority (‘BCR Lead SA’) [1]. Binding Corporate Rules are a means of legitimizing transfers of personal data outside of the […]