On August 24, 2020, the data protection authority of the German state of Baden-Württemberg (the “DPA”) published guidance (the “Guidance”) on international transfers of personal data following the Schrems II judgment (which we have previously covered here). This represents the first comprehensive guidance by a European privacy supervisor indicating how it intends to enforce the […]
GDPR
After Schrems II: A Proposal to Meet the Individual Redress Challenge
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield in the Schrems II case. In an article written by Georgia Tech professor and Alston & Bird Senior Counsel Peter Swire with co-author Kenneth Propp, entitled ‘After Schrems II: A Proposal to Meet the Individual Redress Challenge’, […]
European Data Protection Board Statement Provides Preliminary Insight into Use of Standard Contractual Clauses Following Schrems II Judgment
On July 17, 2020, the European Data Protection Board (‘EDPB’) published a statement on the outcome of the Schrems II judgment, passed by the Court of Justice of the European Union (‘CJEU’) the day before. The judgment invalidated the EU-U.S. Privacy Shield, and issued a number of clarifications and caveats on the use of Standard […]
EU DPAs Announce Post-Schrems Enforcement Plans
Today, the European Court of Justice (ECJ) issued its much-anticipated decision in the Schrems II case. As we analyze in detail in an earlier blog post, the ECJ’s decision invalidates Privacy Shield while leaving Standard Contractual Clauses (SCCs) formally intact – although relying on SCCs may become more complicated than in the past. A number […]
Schrems 2.0: CJEU invalidates EU-US Privacy Shield and emphasizes exporter obligations when using Standard Contractual Clauses
Executive Summary Today, the Court of Justice of the European Union (‘CJEU’) handed down its long-awaited judgment in the ‘Schrems 2.0’ case (Facebook Ireland and Schrems (Case C-311/18)), about the validity of two means of legitimizing transfers of personal data outside the EEA under the EU General Data Protection Regulation (‘GDPR’)[1]. In somewhat of a […]