A New Data Transfer Mechanism Is Available for EU Personal Data

New Set of SCCs for Data Transfers to Third Countries

On June 4, 2021, the European Commission (EC) published its long awaited new set of Standard Contractual Clauses (New SCCs). This new data transfer mechanism allows for the transfers of personal data outside of the European Economic Area (EEA) and replaces the current Standard Contractual Clauses (current SCCs). The New SCCs take into account the European Court of Justice’s (CJEU) Schrems II ruling, which invalidated the EU-U.S. Privacy Shield and requires that data exporters and importers take measures to ensure that the SCCs are effectively complied with. Continue Reading

Locatefamily.com Fined EUR 525,000 for Failure to Appoint an EU Representative

On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch here (“Decision”). Continue Reading

Bavarian SA Finds the Use of SCCs Without Supplementary Measures Unlawful

On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The SA’s findings could indicate how European regulators approach the use of SCCs post-Schrems II. Continue Reading

Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available in Dutch here. Continue Reading

Council of the EU Adopts Its Text on the ePrivacy Regulation

On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data. Continue Reading

Virginia Legislature Sends Novel Privacy Law to Governor’s Desk

Virginia is poised to become the second U.S. state to enact broad consumer privacy legislation. While the legislation draws some parallels with the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) introduces new requirements that go beyond these laws, such as opt-ins to collect sensitive data, opt-outs for targeted advertising, the creation of data protection assessments, and new provisions that must be included in service provider agreements. Continue Reading

LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree