The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German versionContinue Reading Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)

The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.
Continue Reading So you have got BCRs? You may still need to use the new EU SCCs

On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.
Continue Reading German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization

The Summer 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Update on international data transfers
  2. State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on

During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here.

The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework for the adoption of CoCs. We have previously written about the 2019 Guidelines here.

Purpose of the CoC Guidelines

The main purpose of the CoC Guidelines is to clarify the application of Articles 40(3) and 46(2)(e) of the General Data Protection Regulation (GDPR) relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries. These provisions specify that a code of conduct, which has been (1) approved by a competent supervisory authority and (2) has been granted general validity within the EEA by the EU Commission, may be used and adhered to by controllers and processors not subject to the GDPR to provide appropriate safeguards to affect transfers of data outside of the EU.

The CoC Guidelines should further act as a clear reference for all EU supervisory authorities, the EDPB and assist the EU Commission in evaluating codes in a consistent manner and streamline the procedures involved in the assessment process. They should also provide greater transparency, ensuring that code owners who intend to seek approval for a code of conduct intended to be used as a tool for transfers are aware of the process and understand the formal requirements and the appropriate thresholds required for setting up such a code of conduct.
Continue Reading The European Data Protection Board adopts guidelines on codes of conduct as a tool for transfers

On the 28th June 2021, the European Commission (Commission) adopted two adequacy decisions for the UK; one covering the GDPR and the other the Law Enforcement Directive (LED). Such decisions demonstrate that the Commission believes the UK ensures an ‘essentially equivalent’ level of protection to that within the EU. The implication of these decisions is that personal data can now flow freely from the EU to the UK, effective immediately.

Background

On the 19th February, the Commission published two draft adequacy decisions and launched the procedure for their adoption, which we previously wrote about here. Since then, the Commission has carefully assessed the UK’s laws and practices on personal data protection, including access to data by public authorities in the UK. The European Data Protection Board gave its opinion on the draft decisions in support of the Commission’s findings, which we also blogged about here, before finally receiving the ‘green light’ from the EU Member states’ representatives.

The Commission’s 93-page GDPR decision assesses the legal framework for the UK in detail even referencing laws such as the Magna Carta and Bill of Rights, and states ‘As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union.’ They conclude  that ‘the Commission considers that the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.’Continue Reading UK adequacy decision for European data transfers

The European Commission published a draft decision on UK adequacy for transfers of personal data from the EU to the UK, which you can read here. This EC conducted an assessment of the UK’s GDPR framework under the UK Data Protection Act 2018, including data protection rules applicable to UK law enforcement and national security and surveillance. It concludes that the UK ensures an ‘essentially equivalent’ level of protection to that within the EU, under the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), meaning data transfers can flow from the EU to the UK without further safeguards.
Continue Reading Data flows to the UK from the EU won’t hit a dam

On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR).

Background

Firms regulated by the SEC must fulfil requests for documentation made by the SEC and make their books, records or documents available for inspection, to ensure compliance with U.S. federal securities laws, rules and regulations. This calls for the production of information, documentation, and other records, which may include personal data and special category personal data.Continue Reading The ICO offers guidance on personal data transfers to the SEC