Photo of Christian Leuthner

With cybersecurity becoming a board-level issue, compliance officers, lawyers, board members, and business drivers are looking for official guidance or recommendations on cybersecurity measures to protect business, customers, and the wider economy.Continue Reading Cybersecurity preparedness: What guidance to follow?

On Monday, January 29th, we celebrated Global Data Protection Day by delivering an exciting webinar highlighting the latest data protection laws and bills that might influence your business.

Please see below our webinar recording featuring our data protection specialists, and learn tips and tricks for successfully navigating the evolving landscape of data protection.

Download

Background

The European Commission (EC) issued the long-awaited adequacy decision for the new EU-U.S. Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU Safe Harbor in 2015, and the U.S.-EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II, respectively). Following those decisions President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new binding safeguards. Our previous client alert discussed how the draft adequacy decision, including in relation to this this Executive Order, addressed concerns raised in Schrems II.Continue Reading Third Time’s a Charm: European Commission adopts EU-U.S. Data Privacy Framework

The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.
Continue Reading So you have got BCRs? You may still need to use the new EU SCCs

The European Data Protection Board (EDPB) adopted final Recommendations on Supplementary Measures (Recommendations) for data transfers to third countries, published in response to the CJEU ruling in Schrems II. The Recommendations contain a six-step methodology to assess transfers of personal data from the EEA to those countries outside the EEA that have not been approved by the European Commission as providing adequacy. The Recommendations also contain various supplementary measures that can be used if the transfer tools an organisation has selected does provide an equivalent level of protection to that offered under the GDPR and individual’s rights and freedoms under the EU Charter of Fundamental Rights. The Recommendations contain practical guidance where there is “problematic legislation” in an importing country such that public and governmental authorities would be able to access individuals’’ personal data.

The EDPB published draft recommendations for public consultation in November 2020. There are some key changes between the draft and the final Recommendations.  The final draft places a particular focus on the specific circumstances of the transfer in the data transfer assessment. It also calls organisations to review not only laws but also practices of a third country’s surveillance measures by public authorities. The final Recommendations also emphasise that use of the GDPR derogations are meant to be an exception to rule barring transfers of personal data from the EEA to third countries not otherwise deemed adequate.

The Recommendations emphasize that it is the obligation of both data exporters and data importers to ensure the level of protection set by the EU laws when they transfer data to third countries. To comply with the accountability principle under the GDPR, controllers or processors acting as data exporters must ensure that data importers collaborate with them in ensuring protection travels with the data and jointly monitor the measures taken are effective in achieving that aim.
Continue Reading EDPB adopts final recommendations on Supplementary Measures nearly a year after the CJEU’s Schrems II ruling

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends. We cover product and technology development to operational and compliance issues that technology practitioners encounter every day.

On this channel, we host regular discussions about the legal and business issues around data protection, privacy and security; data

The Court of Justice of the European Union (CJEU) handed down its judgment on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II) yesterday, July 16, 2020. The case concerned the transfer of personal data to recipients in the United States via the

After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019.

The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance with article 83(4) and (5) of the General Data Protection Regulation (GDPR) and also takes into account the circumstances of the individual case as described in article 83(2) GDPR. The Concept provides a uniform determination of administrative fines under GDPR without losing the flexibility to consider the individual case and situation of the violating person or organization (Violating Entity).

The Concept is not binding on courts, non-German authorities, or the European Data Protection Board (EDPB) and shall only be used for violations in Germany that are not cross-border cases. The Concept shall only be used until the EDPB has issued its own guidelines for the determination of fines under article 83 GDPR. In addition, the Concept shall not be used for fining associations or natural person outside of their economic activity.

In this blog, we explain the five-step procedure that the DSK applies in the calculation:Continue Reading Calculation of administrative fines under GDPR – standardized concept published in Germany

In a preliminary judgment of 14 June 2017, Case C-610/15, the Court of Justice of the European Union (‘CJEU’) held that the making available and management of a peer-to-peer sharing platform may constitute a copyright infringement.

Facts of the case

In the underlying main proceedings before the Supreme Court of the Netherlands, Stichting Brein, a Dutch foundation which safeguards the interests of copyright holders, sued two internet access providers to block the domain names and IP addresses of a certain online platform called The Pirate Bay (‘TPB’), in order to prevent the services of the internet access providers from being used to infringe the copyright and related rights of the right holders.Continue Reading CJEU: Operation of peer-to-peer sharing platform may qualify as copyright infringement