Privacy & Information Security Law Blog

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.

On July 6, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €830,000 fine on the Dutch Credit Registration Bureau (Stichting Bureau Krediet Registration, “BKR”) for non-compliance with Articles 12(2) and 12(5) of the EU General Data Protection Regulation (the “GDPR”) between May 2018 and March 2019.

On June 30, 2020, the Federal Trade Commission (“FTC”) announced it had entered into a consent agreement (the “Proposed Settlement”) with NTT Global Data Centers Americas, Inc. (“NTT”), a successor in interest to RagingWire Data Centers, Inc. (“RagingWire”), to settle allegations in a November 2019 Administrative Complaint that RagingWire misrepresented its participation in and compliance with the EU-U.S. Privacy Shield Framework (“Privacy Shield”), in violation of the FTC Act.

In one of the most important cases on global data transfers, the Court of Justice of the European Union (“CJEU”) will rule on the validity of the Standard Contractual Clauses (“SCCs”) in the Schrems II case (case C-311/18) on July 16, 2020. Invalidation of the SCCs would leave businesses scrambling to find an alternative data transfer mechanism. But there may be significant practical challenges for businesses even if the SCCs survive.

On July 14, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €600,000 fine on Google Belgium SA (“Google”) for non-compliance with the right to be forgotten.

On July 8, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper (the “Paper”) as input for the European Data Protection Board’s (the “EDPB”) future guidelines on data subject rights (“DSRs”) (the “Guidelines”). The Paper, titled “Data Subject Rights under the GDPR in a Global Data Driven and Connected World,” was drafted following the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019.

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.

On July 9, 2020, the European Commission (the “Commission”) adopted a Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled: “Getting ready for changes – Communication on readiness at the end of the transition period between the European Union and the United Kingdom” (the “Communication”).

On July 13, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it levied a €16,729,600 fine on telecoms provider Wind Tre S.p.A. (“Wind Tre”) for several unlawful data processing activities, mostly related to direct marketing.