The Spring 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. New cookie rules in Germany will apply as of December 1, 2021
  2. German data protection authorities conduct coordinated audits on international data transfers

Today the European Commission issued the new and long-awaited Standard Contractual Clauses, available here (SCCs). These new SCCs contain updates for the GDPR, and replace the three sets of SCCs that were adopted under the previous Data Protection Directive. The SCCs released today include the following modules:

  • Controller to controller transfers,
  • Controller to processor transfers,
  • Processor to processor transfers, and
  • Processor to controller transfers.

The draft SCCs had been open to consultation in December of 2020 (more on our previous blog here). The final drafts issued today will come into effect 20 days after publication on the Official Journal of the European Union, which should be sometime between the 25th and 30th of June 2021.
Continue Reading European Commission issues New Standard Clauses for data transfers outside the EEA: Act within 18 months

The Court of Justice of the European Union (CJEU) handed down its judgment on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II) yesterday, July 16, 2020. The case concerned the transfer of personal data to recipients in the United States via the

Today, the Advocate General Henrik Saugmandsgaard Øe (AG) published his opinion on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II). The case concerns the validity of the standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) press release can be found here, and the AG’s opinion here.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred to a third country if that country ensures an adequate level of data protection. SCCs are one of several mechanisms approved by the European Commission for personal data transfers to countries not found to offer adequate protection for personal data. If the SCCs were invalidated, thousands of businesses would have to review their data transfer arrangements.

Below, we take a look at the AG opinion.
Continue Reading Advocate General gives opinion on Schrems II: an early Christmas present?

Early last month, the European Commission tabled proposed amendments to its existing decisions on the adequacy of third countries’ data protection laws, and to its decisions on the EU standard contractual clauses.

When the CJEU invalidated the EU-U.S. Safe Harbor framework in the Schrems decision last year, it set in motion a review of all

Advocate General Yves Bot today delivered an opinion recommending that the European Court of Justice (ECJ) find the U.S.-EU Safe Harbor Program invalid. His opinion, while non-binding, relates to a request for a preliminary ruling referred to the ECJ by the High Court of Ireland, Irish Court in Schrems v. Data Protection Commissioner, (ECJ, No. C362/14, 23 Sept 2015).

In light Edward Snowden’s disclosures of systematic monitoring of communications by the U.S government, Maximillian Schrems, an Austrian citizen, complained to the Irish Data Protection Commissioner. When the Irish Data Protection Authority did not investigate, Schrems brought an action in the Irish courts challenging that decision.

The Advocate General’s Opinion sets out two significant recommendations.

  1. EU Member States’ national data protection (DPA) authorities must be able to investigate complaints that call into question the level of protection ensured by a third country, such as the United States, and be able to suspend transfers of personal data if the DPA considers the transfer to undermine individuals’ protections.
  2. Commission Decision 2000/520/EC, which found transfers of personal data to the U.S. under the Safe Harbor Program provided an adequate level of protection for transfers of personal data under Article 26 of the EU Data Protective Directive 95/46/EC, should be declared invalid as Safe Harbour cannot ensure an adequate level of protection.

Continue Reading Safe Harbor Invalid! Will the ECJ follow the Advocate General recommendation?