In this Essential Guide, part of Orrick’s Cybersecurity & Privacy Compass Series, we offer insights into the Cyberspace Administration of China's (CAC) new rules and requirements for cross-border data transfers.
The...more
The European Commission today approved the long-awaited framework for data transfers to the United States. What is the decision about? Today's decision means that organisations subject to the GDPR can benefit from an adequacy...more
On 4 May 2023 the European Court of Justice ("CJEU") published its decision (case no. C-300/21) in which it ruled that not any infringement of the General Data Protection Regulation ("GDPR") triggers the right to compensation...more
In early October, the United States (“U.S.”) and European Union (“EU”) came one step closer to the much-awaited new EU-US Data Privacy Framework (the “Framework”), designed to facilitate transatlantic data flows between the...more
10/26/2022
/ Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
Data Protection ,
EU ,
EU-US Privacy Shield ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Popular ,
Schrems I & Schrems II ,
Standard Contractual Clauses
While claims for damages in the event of data protection violations have theoretically existed for some time, they have been gaining in importance since the introduction of the General Data Protection Regulation ("GDPR")....more
On June 4, 2021, the European Commission (the “Commission”) published its implementing Decision adopting standard contractual clauses for transfer of personal data to third countries (the “SCCs”) designed to comply with the...more
The decision of the Procurement Chamber of Baden-Württemberg was annulled by the Higher Regional Court of Karlsruhe in its legally binding decision on September 9, 2022. In contrast to the approach chosen by the Procurement...more
Analysis of the Baden-Württemberg Procurement Chamber on the admissibility of the use of IT services by European subsidiaries of U.S. cloud providers I. Background In its recently published decision (12 July 2022), a...more
On 26 July 2022, the Lower Saxony data protection authority ("Lower Saxony DPA") announced that it has imposed a fine of 1.1 million euros on Volkswagen ("VW") due to GDPR violations. It found that VW has violated data...more
The United States ("U.S.") and the European Commission ("EU Commission") recently announced an “agreement in principle” to develop a new Trans-Atlantic Data Privacy Framework (“Framework”). The Framework is intended to...more
Update: UK international data transfer agreement and UK addendum to the EU standard contractual clauses now in force In February, the Information Commissioner’s Office (“ICO”), the United Kingdom (UK) data protection...more
In February 2022, the United Kingdom (UK) Information Commissioner’s Office (“ICO”), along with the data protection authority (“DPA”) in the UK, published three new documents ("UK Documents") which update the UK's position on...more
The Austrian data protection authority (Österreichische Datenschutzbehörde; Austrian DPA) recently ruled that the use of Google Analytics violated Chapter V (transfers of personal data to third parties) of the EU General Data...more
2/3/2022
/ Australia ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
Data Protection ,
Data Protection Authority ,
EU ,
General Data Protection Regulation (GDPR) ,
Google ,
International Data Transfers ,
Schrems I & Schrems II
Significant developments in artificial intelligence, cybersecurity and consumer privacy occurred across the globe in 2021 with the anticipation of more activity in 2022. Our roundup for the year captures some of the major...more
On November 19, 2021, the European Data Protection Board (“EDPB”) issued draft guidance on the interplay between Article 3 of the General Data Protection Regulation (“GDPR”) and the provisions on international transfers...more
On June 7, 2021, the European Commission (Commission) published its long-awaited Implementing Decision adopting standard contractual clauses for the transfer of personal data to third countries referred to as the new Standard...more
Orrick's Cyber, Privacy & Data Innovation and IP Licensing & Technology Transactions groups cover the top 10 things you need to know about the new Standard Contractual Clauses ("SCCs") published today by the European...more
6/7/2021
/ Corporate Counsel ,
Data Protection ,
EU ,
European Commission ,
European Data Protection Board (EDPB) ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Model Clauses ,
Model Contracts ,
Personal Data ,
Popular ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
UK ,
UK ICO
What is the General Data Protection Regulation (GDPR)? The GDPR is an EU law that was passed by parliament and went into effect on May 25, 2018. The GDPR unifies the EU under a single data protection regime for all member...more
4/13/2021
/ Cookies ,
Cybersecurity ,
Data Protection ,
EU ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Multinationals ,
Personal Data ,
Personally Identifiable Information ,
Regulatory Requirements ,
Web Tracking
On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the...more
On October 1st, 2020, the Data Protection Authority of Hamburg (“DPA”) announced that it issued a massive EUR 35.3 million fine against the clothing company H&M Hennes & Mauritz Online Shop A.B. & Co. KG (“H&M”) for the...more
On 16 July, 2020 the European Court of Justice (“CJEU”) published its decision invalidating the EU-U.S. Privacy Shield and setting out enhanced requirements for using the so-called Standard Contractual Clauses for Processors...more
8/26/2020
/ Consumer Privacy Rights ,
Court of Justice of the European Union (CJEU) ,
Data Privacy ,
EU ,
EU-US Privacy Shield ,
European Data Protection Board (EDPB) ,
European Supervisory Authorities (ESAs) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Standard Contractual Clauses
EDPB and data protection authorities’ views and statements on the “Schrems II”- decision by the CJEU -
On 16 July, 2020, the European Court of Justice (“CJEU“) passed a decision invalidating the EU-US Privacy Shield and...more
7/30/2020
/ Binding Corporate Rules ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
Data Processors ,
Data Protection ,
EU ,
EU-US Privacy Shield ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Ireland ,
Personal Data ,
Personally Identifiable Information ,
Schrems I & Schrems II ,
Standard Contractual Clauses
The European Court of Justice (CJEU) published its highly anticipated judgement in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”. There...more
7/17/2020
/ Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Data Protection Authority ,
EU ,
EU-US Privacy Shield ,
European Commission ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Safe Harbors ,
Standard Contractual Clauses
The European Data Protection Board (EDPB) and a number of European data protection supervisory authorities have recently issued guidance on processing personal data, including special categories of personal data (i.e., health...more
3/17/2020
/ China ,
Coronavirus/COVID-19 ,
Corporate Counsel ,
Crisis Management ,
Cybersecurity ,
Data Management ,
Data Processors ,
Data Protection ,
Denmark ,
Employee Privacy Rights ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
France ,
General Data Protection Regulation (GDPR) ,
Germany ,
Infectious Diseases ,
International Data Transfers ,
Ireland ,
Italy ,
Luxembourg ,
New Guidance ,
Norway ,
Personal Data ,
Personally Identifiable Information ,
PHI ,
Poland ,
Public Health ,
Risk Management ,
Spain ,
UK
Since the first enforcement actions have been initiated, some with significant fines, many companies may find themselves somewhat at a loss as they may not fully know how to assess the risks involved and how to react should...more
12/16/2019
/ Cybersecurity ,
Data Breach ,
Data Collection ,
Data Management ,
Data Processors ,
Data Protection ,
Enforcement Actions ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
Failure to Comply ,
Fines ,
General Data Protection Regulation (GDPR) ,
Germany ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Risk Assessment ,
Risk Management ,
Risk Mitigation ,
Treaty on the Functioning of the European Union (TFEU)