On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.
Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.
The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.
Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance
In the past year, we have seen an increase in the number of countries developing/updating legal frameworks (such as model agreements) that permit the transfer of personal data abroad. Transfer mechanisms, such as the model agreements, are necessary because different countries’ data protection laws may offer different levels of protection to individuals’ personal data. Transfer mechanisms function as an “equalizer” by requiring a base level of protection that all entities must have in place when transferring personal data abroad. Accordingly, transfer mechanisms ensure that protections are in place to safeguard data that leaves a country with strong data protection laws to be transferred to a country that has no such laws. Last June, the European Commission updated its Standard Contractual Clauses (“EU SCCs”) permitting the transfer of data outside the European Economic Area (“EEA”) after a decade. Earlier this year the United Kingdom implemented the UK’s version of transfer clauses with the International Data Transfer Agreement (“UK IDTA”). Like Europe and the United Kingdom, China also has some transfer mechanisms in the works.
Continue Reading Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad
This week, the new rules for personal data transfers to countries outside the United Kingdom (“UK”) went into effect. As of March 21, 2022, businesses transferring personal data from the UK to countries outside the European Economic Area (“EEA”) need to analyze their data flows and update their agreements involving data transfer practices to reflect the UK Data Protection Authority’s (“ICO”) new standard contractual clauses.
Under both the European Union’s General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, businesses are required to implement certain safeguards when transferring personal data outside the UK to countries “without an adequate level of data protection.” Standard contractual clauses (“SCCs”) are largely used to validate these types of transfers in the European Union as permitted under GDPR. However, following the “Brexit” transition period that concluded on December 31, 2020, GDPR no longer applied to the UK. Further, when the European Union revised SCCs in June 2021, the changes did not apply in the UK, and companies were left with confusion on how to effectuate personal data transfers outside the UK.
Continue Reading New Personal Data Transfers out of the UK: Like the GDPR, but Different
It is the end of an era: September 27, 2021, officially marks the termination date for the Standard Contractual Clauses (SCCs) grace period set forth by the European Commission (“Commission”). In June 2021, the Commission published two new sets of clauses (2021 SCCs), marking the first update to the SCCs in over a decade. Unlike prior iterations, which were created before the enactment of the European Union’s (EU) General Data Protection Regulation (GDPR), the 2021 SCCs reflect the GDPR’s data protection requirements for multiple variations of data exporter-importer relationships.
Continue Reading Out with the Old and In with The New: European Commission’s New Standard Contractual Clauses Grace Period is Ending
The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.
On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.…
The European Commission has finally released the first updates to the standard contractual clauses (SCCs) required for certain cross-border transfers in more than 10 years. The new SCCs include versions for use between processors and controllers, as well as one for transfers to third countries. These new SCCs mark the first change in such clauses since 2010 and in view of the Court of Justice of the European Union’s decision in Schrems II.
We will write more on this…
Continue Reading Europe Commission Releases Updated Standard Contractual Clauses for GDPR Compliance
Each month, new developments in European privacy law demonstrate both how the times are changing, and how the 2010 Standard Contractual Clauses are increasingly antiquated. Last month, the Commission of the European Union (the “Commission”) published two preliminary implementing decisions:
(1) a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the “Cross-Border SCCs”); and
(2) a draft of new standard contractual clauses for certain clauses in controller-processor data processing agreements (“DPAs”) pursuant to Article 28(7) of the General Data Protection Regulations (“GDPR”).
Both drafts, available here, were widely anticipated following the Court of Justice of the European Union (“CJEU”) Schrems II decision, which invalidated the EU-US Privacy Shield framework for cross-border data transfer. Once approved, these new clauses will replace the previous standard contractual clauses used by organizations as an appropriate safeguard for making international transfers of personal data under GDPR.…
As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.
Continue Reading So goes the EU, so goes the world….Brazil’s new privacy law is on the horizon.
As we assist clients with preparing for GDPR compliance before and after this Friday’s effective date, I thought to share some quick thoughts on the law and what we are seeing here at Taft.
- “GDPR Compliant.” Be wary of companies making such claims and don’t make such claims, yourselves. As with HIPAA, there is no such thing as a stamp of “compliance” approval. And, like bragging about your information security, warranting that you are “compliant” is just asking for that