(This blog post summarizes Wim Nauwelaerts’ (Alston & Bird), Early EDPB Guidance in the Wake of Schrems II – Where E.U.-U.S. Data Transfers Are Headed, Cybersecurity Law Report, Aug. 5, 2020) On July 23, 2020, the European Data Protection Board (EDPB) adopted its first set of guidelines on the Schrems II judgment of the Court […]
International
EU Announces First Sanctions under EU Cyber Sanctions Regime
On July 30, 2020, the European Council announced sanctions against six individuals and three organizations for their involvement in a series of cyber-attacks that have caused significant damage in the EU and around the world over the last several years. The announcement follows the EU’s adoption last year of Decision (CFSP) 2019/797, which established the […]
EDPB clarifies Brexit obligations for holders of Binding Corporate Rules which have the UK ICO as their lead authority
On July 22, 2020, the European Data Protection Board (‘EDPB’) released an information note on Binding Corporate Rules (‘BCRs’), which provides guidance for groups of undertakings/enterprises which have the UK ICO as their competent supervisory authority (‘BCR Lead SA’) [1]. Binding Corporate Rules are a means of legitimizing transfers of personal data outside of the […]
‘Schrems II’ backs the European legal regime into a corner — How can it get out?
On July 16, the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield in the ‘Schrems 2.0’ Case (Facebook Ireland and Schrems (Case C-311/18)). In an article for the International Association of Privacy Professionals, Alston & Bird Senior Counsel Peter Swire analyzes the decision and discusses potential implications, including those relating […]
Schrems 2.0: CJEU invalidates EU-US Privacy Shield and emphasizes exporter obligations when using Standard Contractual Clauses
Executive Summary Today, the Court of Justice of the European Union (‘CJEU’) handed down its long-awaited judgment in the ‘Schrems 2.0’ case (Facebook Ireland and Schrems (Case C-311/18)), about the validity of two means of legitimizing transfers of personal data outside the EEA under the EU General Data Protection Regulation (‘GDPR’)[1]. In somewhat of a […]