Privacy & Information Security Law Blog

On July 24, 2020, the European Data Protection Board (the “EDPB”) published a set of Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the EU-U.S. Privacy Shield framework. With its FAQs, the EDPB sought to provide responses to some of the many questions organizations are asking in the aftermath of the Schrems II ruling.

On Wednesday, July 22, the New York Department of Financial Services (the “NYDFS”) announced that it had filed administrative charges against First American Title Insurance Co. under the NYDFS Cybersecurity Regulation, marking the agency’s first enforcement action since the rules went into effect in March 2017.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.

On July 6, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €830,000 fine on the Dutch Credit Registration Bureau (Stichting Bureau Krediet Registration, “BKR”) for non-compliance with Articles 12(2) and 12(5) of the EU General Data Protection Regulation (the “GDPR”) between May 2018 and March 2019.

On June 30, 2020, the Federal Trade Commission (“FTC”) announced it had entered into a consent agreement (the “Proposed Settlement”) with NTT Global Data Centers Americas, Inc. (“NTT”), a successor in interest to RagingWire Data Centers, Inc. (“RagingWire”), to settle allegations in a November 2019 Administrative Complaint that RagingWire misrepresented its participation in and compliance with the EU-U.S. Privacy Shield Framework (“Privacy Shield”), in violation of the FTC Act.

In one of the most important cases on global data transfers, the Court of Justice of the European Union (“CJEU”) will rule on the validity of the Standard Contractual Clauses (“SCCs”) in the Schrems II case (case C-311/18) on July 16, 2020. Invalidation of the SCCs would leave businesses scrambling to find an alternative data transfer mechanism. But there may be significant practical challenges for businesses even if the SCCs survive.

On July 14, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €600,000 fine on Google Belgium SA (“Google”) for non-compliance with the right to be forgotten.

On July 8, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper (the “Paper”) as input for the European Data Protection Board’s (the “EDPB”) future guidelines on data subject rights (“DSRs”) (the “Guidelines”). The Paper, titled “Data Subject Rights under the GDPR in a Global Data Driven and Connected World,” was drafted following the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019.

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.