Weekly Newsletter: 21 December – 25 December 2020
GDPR EU Representative

December 28, 2020

Schrems II Concerns Regarding U.S. National Security Surveillance Do Not Apply to Most Companies Transferring Personal Data to the U.S. Under Standard Contractual Clauses

[#SchremsII #SCCs #EUUSDataTransfer]

“One hopes that EU supervisory authorities, the European Data Protection Board, and Max Schrems will acknowledge that SCC data transfers to the U.S. do not pose the “surveillance” problem the CJEU thought.”

“The thesis articulated in the article linked here is that (1) nearly all companies relying on standard contractual clauses for data transfers to the US under the EU General Data Protection Regulation are not electronic communications service providers for purposes of FISA 702 (i.e., only companies in the business of providing communications services would be covered) and (2) data transfers from Europe to the US under SCCs may not be targeted under FISA 702 and EO 12333 because they are (i) quintessential “US person communications” because either the data exporter is a U.S. person or the data importer is a U.S. person, or more likely, both are US persons and (ii) received by a person located in the U.S. Accordingly, the concerns expressed by the EU Court of Justice in Schrems II should not be problematic for nearly all U.S. companies relying on SCCs.”

To read more: Click here.

GDPR Violations in Germany: Civil Damages Actions on the Rise

[#GDPRviolations #GDPRCivilActions #GDPRGermanCourts]

“New trends in Germany reveal the urgent need for companies to develop effective defense strategies against damages claims raised in German civil courts.

In recent months, German courts have been increasingly following a course similar to the US model of awarding damages in actions alleging data privacy violations. This development may have substantial financial and other consequences for companies involved in the digital economy, including the risk of mass data litigation.

Please see full Alert [link below] for more information.”

To read more: Click here.


Data protection at the end of the transition period

[#EUrepresentative #ICO #EDPObrussels #EDPOuk #UKrepresentative #UKGDPR #DataProtection]

Information Commissioner’s Office guidance for UK companies: don’t forget to appoint your EU Representative!

“Not sure if your organisation will need an EU representative at the end of the transition period? We have guidance on European Representatives and much more. Head to our end of transition hub for advice!”

To read more: Click here.

Italian data regulator opens formal procedure against TikTok

[#tiktok #gdprcompliance #DataRegulator]

“Italy’s data protection regulator has initiated formal proceedings against TikTok alleging that the Chinese-owned video sharing app violates privacy, especially of minors.

The announcement comes after Europe’s network of privacy regulators, the EDPB, set up a taskforce to investigate TikTok’s data practices earlier this year at the request of the Italian authority, known as the Garante. The app is also under investigation by privacy regulators in the Netherlands, Denmark, France and the U.K.

In a statement Tuesday, the Garante said that it was opening its own formal procedure against TikTok despite the ongoing work at the European level because of an urgent need to protect Italian minors. The agency said that its investigation has found that TikTok’s ban on enrolment to people under 13 is easily circumvented and that information for users is too generic and not specific enough for children.”

To read more: Click here.

UK organisations using SolarWinds Orion platform should check whether personal data has been affected

[#ICO #DataBreach #SolarWinds #SolarWindsDataBreach]

“SolarWinds was the victim of a cyber-attack where a vulnerability was inserted into its Orion platform. Organisations using the compromised Orion platform could potentially have allowed an attacker to move into other parts of its IT Network and systems and breach personal data.

Organisations should immediately check whether they are using a version of the software that has been compromised

[…] Organisations must also determine if the personal data they hold has been affected by the cyber-attack. If a reportable personal data breach is found, UK data controllers are required to inform the ICO within 72 hours of discovering the breach.”

To read more: Click here.