Privacy & Information Security Law Blog

On May 23, 2024, the European Data Protection Board adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports.

On April 17, 2024, the European Data Protection Board adopted its non-binding Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, stating that such models generally are not compliant with the GDPR, though their use should be considered on a case-by-case basis.

On February 28, 2024, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action on the right of access. Through the course of 2024, 31 data protection authorities across the European Economic Area, including seven German state-level authorities, will take part in this initiative on the implementation of the right of access. The EDPB selected the right access for its third coordinated enforcement action as it is “at the heart of data protection,” is a right that is very frequently exercised by individuals, and one that is often the basis of complaints to authorities.

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted Opinion 04/2024 on the notion of the main establishment of a controller in the Union under Article 4(16)(a) of the EU General Data Protection Regulation (“GDPR”) (the “Opinion”).

On February 8, 2024, the French Data Protection Authority (the “CNIL”) announced the priority topics for its inspections in 2024.  

On November 16, 2023, the European Data Protection Board (“EDPB”) published its Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive (the “Guidelines”).

On September 15, 2023, the Irish Data Protection Commission (the “DPC”) announced a fine of 345 million Euros against TikTok Technology Limited (“TikTok”) for non-compliance with GDPR rules regarding the processing of personal data of child users. This decision by the DPC reflects the binding decision of the European Data Protection Board (the “EDPB”) pursuant to Article 65 of the GDPR.

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

On July 14, 2023, the Norwegian Data Protection Authority (“DPA”) ordered Meta Platforms Ireland Limited and Facebook Norway AS (jointly, “Meta”) to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior,” when relying on either the contractual necessity legal basis (Article 6(1)b)) or the legitimate interests legal basis (Article 6(1)(f)) of the GDPR.

On June 30, 2023, the European Data Protection Board (“EDPB”) published Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (the “Recommendations”), which were adopted on June 20, 2023. Binding corporate rules (“BCRs”) are a mechanism for transferring personal data to third countries in accordance with Chapter V of the EU General Data Protection Regulation (“GDPR”), and must be approved by the relevant organization’s lead supervisory authority. BCRs create enforceable rights and set out commitments in order to create, for the personal data transferred under the BCRs, a level of protection essentially equivalent to that provided by the GDPR.

On June 7, 2023, the European Data Protection Board (“EDPB”) adopted the final version of its Guidelines on the calculation of administrative fines under the GDPR (the “Guidelines”). Through the Guidelines, the EDPB intends to harmonize the methodology used by supervisory authorities (“SA”) to calculate fines.

On May 25, 2023, the European Data Protection Board (“EDPB”) elected Anu Talus, head of the Finish data protection authority, as its new Chair, replacing Andrea Jelinek. The EDPB also elected Irene Loizidou Nikolaidou, head of the Cypriot data protection authority, as one of its Deputy Chairs, replacing Ventsislav Karadjov.

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) announced a €1.2 billion fine against Meta Ireland for unlawfully transferring personal data to the U.S.

On May 17, 2023, the European Data Protection Board (EDPB) adopted the final version of its Guidelines on facial recognition technologies in the area of law enforcement (the “Guidelines”). The Guidelines address lawmakers at the EU and EU Member State level, and law enforcement authorities and their officers implementing and using facial recognition technology. 

On April 26, 2023, the European Data Protection Board (“EDPB”) initiated the procedure for electing a new Chair and Deputy Chair to replace Andrea Jelinek and Ventsislav Karadjov, whose mandates will end on May 25, 2023.

This is an excerpt from Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy’s recently published piece in the IAPP “Privacy Perspectives” blog, and are the views of the author.

On February 28, 2023, the European Data Protection Board (“EDPB”) issued its Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (the “Opinion”). In the Opinion, the EDPB recognized substantial improvements in the proposed EU-U.S. Data Privacy Framework (“DPF”) when compared to Privacy Shield, whilst also stating that a number of aspects of the DPF need to be clarified, developed or further detailed.

On February 24, 2023, following public consultation, the European Data Protection Board (EDPB) published the following three sets of adopted guidelines:

1. Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR (05/2021) (final version);
2. Guidelines on certification as a tool for transfers (07/2022) (final version); and
3. Guidelines on deceptive design patterns in social media platform interfaces (03/2022) (final version).

On January 18, 2023, the European Data Protection Board (“EDPB”) published its Report on the work undertaken by the Cookie Banner Taskforce (the “Report”).

On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth  responded to a call for public comments from the European Data Protection Board (“EDPB”) regarding their Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (“Recommendations 1/2022”). The Recommendations 1/2022 are intended to bring existing Controller Binding Corporate Rules (“BCR-C”) in line with the GDPR and the Schrems II ruling.

On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.

On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.

An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.

On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.

In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

On October 7, 2022, President Biden signed Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the European Union and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020, when the European Court of Justice (“ECJ”) declared the previous framework, the EU-U.S. Privacy Shield, invalid under EU law. 

On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection.

On May 12, 2022, the European Data Protection Board (“EDPB”) adopted Guidelines 04/2022 on the calculation of administrative fines under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines are intended  to harmonize the methodology supervisory authorities (“SAs”) use when calculating the amount of a GDPR fine and provide illustrative examples to help organizations understand the calculation method.

On May 11, 2022, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2021 (the “Report”). The Report provides an overview of the CNIL’s enforcement activities in 2021. The report notably shows a significant increase in the CNIL’s activity.

On April 7, 2022, the European Data Protection Board (the “EDPB”) released a statement on the announcement of a new Trans-Atlantic Data Privacy Framework (the “Statement”).

On February 22, 2022, the European Data Protection Board (the “EDPB”) adopted its final Guidelines 04/2021 on Codes of Conduct as tools for transfers (the “Guidelines”), following a public consultation that took place in 2021.

On February 15, 2022, the French Data Protection Authority (the “CNIL”) published its enforcement priority topics for 2022. Each year, the CNIL conducts numerous investigations in response to complaints, data breach notifications and ongoing events, or based on previously established enforcement priorities.

On February 10, 2022, the French Data Protection Authority (the “CNIL”) ruled the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie to be unlawful. In its decision, the CNIL held that an organization using Google Analytics was in violation of the GDPR’s data transfer requirements. The CNIL ordered the organization to comply with the GDPR, and to stop using Google Analytics, if necessary.

The Austrian data protection authority (the “Austrian DPA”) recently published a decision in a case brought against an Austrian website provider and Google by the non-governmental organization co-founded by privacy activist Max Schrems, None of Your Business (“NOYB”). The Austrian DPA ruled that the use of Google Analytics cookies by the website operator violates both Chapter V of the EU General Data Protection Regulation (“GDPR”), which establishes rules on international data transfers, and the Schrems II judgment of the Court of Justice of the European Union.

In a letter addressed to certain members of the European Parliament (“MEPs”), European Commissioner for Justice Reynders refuted some of the criticism that has been raised against the Irish Data Protection Commissioner (“DPC”).

On November 18, 2021, the European Data Protection Board (“EDPB”) released a statement on the Digital Services Package and Data Strategy (the “Statement”). The Digital Services Package and Data Strategy is a package composed of several legislative proposals, including the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), the Data Governance Act (“DGA”), the Regulation on a European approach for Artificial Intelligence (“AIR”) and the upcoming Data Act (expected to be presented shortly). The proposals aim to facilitate the further use and sharing of personal data between more public and private parties; support the use of specific technologies, such as Big Data and artificial intelligence (“AI”); and regulate online platforms and gatekeepers.

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 (the “Guidelines”) on the interplay between the application of Article 3 of the EU General Data Protection Regulation (“GDPR”), which sets forth the GDPR’s territorial scope, and the GDPR’s provisions on international data transfers. The Guidelines aim to assist organizations subject to the GDPR in identifying whether a data processing activity constitutes an international data transfer under the GDPR, as the GDPR does not define the term.

On November 5, 2021, IAB Europe (“IAB EU”) announced that, in the coming weeks, the Belgian Data Protection Authority plans to share with other data protection authorities a draft ruling on the IAB EU Transparency & Consent Framework (“TCF”). The TCF is a GDPR consent solution built by IAB EU that has become a widely used approach to collecting consent to cookies under the GDPR. The draft ruling is expected to find that the TCF does not comply with the GDPR, in part because IAB EU acts as a controller, and the digital signals the TCF creates to capture individuals’ consent to cookies are personal data under the GDPR. Because IAB EU does not consider itself a controller with respect to the TCF, it does not currently comply with the GDPR’s controller obligations.

On October 13, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”) following public consultation. Article 23 of the GDPR permits EU Member States to impose restrictions on data subject rights as long as the restrictions respect the essence of the fundamental rights and freedoms of individuals, and are necessary and proportionate measures in a democratic society to safeguard, for example, national security, defense or public security. The data subject rights to which the restrictions may apply are those set out in Articles 12-22 (e.g., rights of access, erasure), Article 34 (communication of a data breach to individuals) and Article 5 (the data processing principles) to the extent that its provisions correspond to data subject rights.

On September 27, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on the “GDPR Enforcement Cooperation and the One-Stop-Shop (“OSS”) - Learning from the First Three Years” (the “Paper”). The Paper identifies the challenges faced by the OSS, defines CIPL’s position, and proposes possible solutions to improve the OSS mechanism, taking into account the European Data Protection Board’s (“EDPB”) recent work and decisions by the Court of Justice of the European Union (“CJEU”).

On September 27, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted an opinion on the European Commission’s draft adequacy decision for the Republic of Korea (the “Opinion”).

On September 27, 2021, the European Data Protection Board (the “EDPB”) announced that it established a taskforce to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by the non-governmental organization None of Your Business (“NOYB”) in relation to cookie banners.

On August 19, 2021, the Belgian Council of State confirmed a decision of the regional Flemish Authorities to contract with an EU branch of a U.S. company using Amazon Web Services (“AWS”).

On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced a fine of €225 million ($266 million) against WhatsApp Ireland Ltd (“WhatsApp”) for failure to meet the transparency requirements of Articles 12-14 of the EU General Data Protection Regulation (“GDPR”). This fine represents a more than four-fold increase in the €30-50 million fine that was proposed in a draft decision issued by the DPC in December 2020. Due to the cross-border nature of WhatsApp’s data processing activities, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under Chapter VII of the GDPR. Eight other EU regulators objected to the DPC’s draft decision. Their objections were referred to the European Data Protection Board (“EDPB”), in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR, after the DPC failed to reach a consensus with the objecting regulators.

On July 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on How the Legitimate Interest Ground for Processing for Processing Enables Responsible Data Use and Innovation (the “Paper”). The Paper explains the growing importance of the legitimate interests legal basis for organizations, whether for routine or more complex and innovative data processing activities. It provides recommendations on how this legal basis should be interpreted, used and applied to unlock the value of data in today’s global connected world. Finally, the Paper includes examples of data processing activities where organizations currently rely on the legitimate interests legal basis, illustrated by 16 case studies that describe how organizations balance the legitimate interest of the controller and individuals’ rights and freedoms.

In an article originally published on Practical Law, and reproduced with the permission of the publishers, Hunton Andrews Kurth London partner Bridget Treacy discusses the European Commission’s long-awaited, and now finalized, standard contractual clauses (“SCCs”) for international transfers of personal data made under the EU General Data Protection Regulation (“GDPR”).

On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).

On May 20, 2021, the Belgian Data Protection Authority (“Belgian DPA”), as the lead authority (in collaboration with two co-reviewing authorities), announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (the “EU Cloud CoC”). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation (the “GDPR”).

On May 14, 2021, the Irish High Court dismissed Facebook Ireland’s (“Facebook”) challenge to the Irish Data Protection Commissioner’s (“DPC”) investigation into Facebook’s international transfers of personal data.

On May 11, 2021, the European Parliament issued a press release requesting that the European Commission amend its draft decisions on UK adequacy to more closely align with EU court rulings and the opinion of the European Data Protection Board (“EDPB”). The request came after the Parliament’s Civil Liberties Committee (the “Committee”) passed a resolution evaluating the Commission’s approach regarding the adequacy of the UK’s data protection regime. The Members of European Parliament (“MEPs”) stated that if the Commission’s implementing decisions are adopted without amendment, transfers of personal data to the UK should be suspended when there is the potential for indiscriminate access to personal data.

On April 23, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on virtual voice assistants (the “Guidelines”). The Guidelines were adopted on March 12, 2021 for public consultation.

On April 14, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted its Opinion on the draft UK adequacy decision issued by the European Commission on February 19, 2021. The EDPB’s Opinion is non-binding but will be persuasive. The adequacy decision will be formally adopted if it is approved by the EU Member States acting through the European Council. If the adequacy decision is adopted, transfers of personal data from the EU to the UK may continue following the end of the post-Brexit transition period without the implementation of a data transfer mechanism under the EU General Data Protection Regulation (“GDPR”), such as Standard Contractual Clauses.

On March 30, 2021, the European Commission (the “Commission”) announced the successful conclusion of the adequacy talks with the Republic of Korea.

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On March 22, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published its paper on delivering a risk-based approach to regulating artificial intelligence (the “Paper”), with the intention of informing current EU discussions on the development of rules to regulate AI.

On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.

On March 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on examples regarding data breach notification (the “Guidelines”). The Guidelines were adopted on January 14, 2021 for public consultation.

The recent UK case of Soriano v Forensic News and Others tested the territorial reach of the General Data Protection Regulation (“GDPR”) and represents the first UK judgment dealing with the territorial scope of the GDPR. This was a “service out” case, where the claimant, Walter T. Soriano, sought the Court’s permission under the UK Civil Procedure Rules to serve proceedings on the defendants, who were all domiciled in the U.S.

On January 18, 2021, the European Data Protection Board (“EDPB”) released draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “Guidelines”). The Guidelines complement the initial Guidelines on personal data breach notification under the EU General Data Protection Regulation (“GDPR”) adopted by the Article 29 Working Party in February 2018. The new draft Guidelines take into account supervisory authorities’ common experiences with data breaches since the GDPR became applicable in May 2018. The EDPB’s aim is to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.

On January 15, 2021, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, for both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). 

On November 23, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on relevant and reasoned objections under the General Data Protection Regulation (“GDPR”) cooperation and consistency mechanisms (the “Guidelines). The consultation on the Guidelines took place a few weeks before the EDPB issued its first binding decision under the Article 65 GDPR dispute resolution mechanism.

On December 21, 2020, the European Data Protection Board (the “EDPB”) released its 2021-2023 Strategy (the “Strategy”). The Strategy aims at setting out the four main pillars of the EDPB strategic objectives through 2023 and key actions to help achieve those objectives:

On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (“GDPR”), along with its draft set of new standard contractual clauses (the “SCCs”).

On November 11, 2020, the European Data Protection Board (the “EDPB”) published its long-awaited recommendations following the Schrems II judgement regarding supplementary measures in the context of international transfer safeguards such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”). In addition, the EDPB published recommendations on the European Essential Guarantees for surveillance measures (the “EEG Recommendations”), which complement the Recommendations. The Recommendations are subject to a public consultation, which closes on December 21, 2020.

During its 39th plenary session on October 8, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on relevant and reasoned objection under the General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines relate to the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which a lead supervisory authority (“LSA”) has a duty to cooperate with other concerned supervisory authorities (“CSAs”) in order to reach a consensus.

On September 24, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) released a new paper (the “Paper”) on the Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision.

On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Guidelines”). The Guidelines aim to provide practical guidance on the role and responsibilities of social media providers and those using targeting services, such as for targeted advertising, on social media platforms (“targeters”).

On September 7, 2020, the European Data Protection Board (“EDPB”) released draft Guidelines 07/2020 on the concepts of controller and processor in the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines aim to (1) clarify the concepts of controller, joint controllers, processor, third party and recipient under the GDPR by providing concrete examples with respect to each; and (2) specify the consequences attached to the different roles of controller, joint controllers and processor. The Guidelines replace the previous opinion of the Article 29 Working Party on these concepts.

On September 4, 2020, the European Data Protection Board (the “EDPB”) announced that it established two taskforces following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On September 3, 2020, the Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) of the European Parliament held a meeting to discuss the future of EU-U.S. data flows following the Schrems II judgment of the Court of Justice of the European Union (the “CJEU”). In addition to Members of the European Parliament (“MEPs”), the meeting’s participants included Justice Commissioner Didier Reynders, European Data Protection Board (“EDPB”) Chair Andrea Jelinek and Maximilian Schrems. Importantly, Commissioner Reynders stated during the meeting that the new Standard Contractual Clauses (“SCCs”) might be adopted by the end of 2020, at the earliest.

On August 27, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced it approved the “Data Pro Code,” a code of conduct drafted by industry association NLdigital (the “Code”). This Code is the first code of conduct approved by the Dutch DPA under the EU General Data Protection Regulation (the “GDPR”). Adhering to the Code will help organizations active in the Information and Communications Technology sector comply with their obligations under the GDPR. The Code includes, among other things, a series of practical GDPR compliance tools, such as the “Data Pro Statement” that companies may use to inform potential customers of the data protection safeguards they have in place.

The U.S. Department of Commerce has issued two new sets of FAQs in light of the Court of Justice of the European Union’s (“CJEU’s”) recent decision to invalidate the EU-U.S. Privacy Shield in Schrems II. We previously reported on the Schrems II ruling and its implication for businesses that transfer personal data to the U.S. The new FAQs from the Department of Commerce address the impact of the decision on the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.

On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement reiterating the requirement for additional safeguards when organizations rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) for the transfer of personal data to third countries in the wake of the Court of Justice of the European Union’s (the “CJEU”) invalidation of the Privacy Shield Framework. In its July 16, 2020 judgment, the CJEU concluded that SCCs issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, subject to the need to assess whether additional safeguards are required depending on the recipient jurisdiction. In this same decision, the CJEU struck down the EU-U.S. Privacy Shield Framework.

On July 22, 2020, the European Data Protection Board (the “EDPB”) adopted an information note (the “Note”) to assist organizations relying on Binding Corporate Rules (“BCRs”) for international personal data transfers, as well as supervisory authorities, in preparing for the end of the Brexit implementation period on December 31, 2020. The Note is provided specifically for those groups of undertakings and enterprises that have the UK Information Commissioner’s Office (“ICO”) as the competent supervisory authority for their BCRs.

On July 24, 2020, the European Data Protection Board (the “EDPB”) published a set of Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the EU-U.S. Privacy Shield framework. With its FAQs, the EDPB sought to provide responses to some of the many questions organizations are asking in the aftermath of the Schrems II ruling.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.

On July 8, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper (the “Paper”) as input for the European Data Protection Board’s (the “EDPB”) future guidelines on data subject rights (“DSRs”) (the “Guidelines”). The Paper, titled “Data Subject Rights under the GDPR in a Global Data Driven and Connected World,” was drafted following the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019.

On June 25, 2020, the European Data Protection Board (“EDPB”) published a new register containing decisions by national supervisory authorities (“SAs”) based on the One-Stop-Shop cooperation procedure set forth under Article 60 of the EU General Data Protection Regulation (the “GDPR”). Under Article 60 of the GDPR, SAs have the duty to cooperate on cross-border cases to ensure consistent application of the GDPR. In this context, the lead SA is responsible for preparing draft decisions and working together with the concerned SAs to reach a consensus.

On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the processing of personal data in the context of reopening borders following the COVID-19 outbreak (the “Statement”).

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the data protection impact of the interoperability of contact tracing apps within the EU (the “Statement”). The EDPB issued this Statement following the publication of “Interoperability guidelines for approved contact tracing mobile applications in the EU” by the eHealth Network on May 13, 2020. In its guidelines, the eHealth Network calls for an interoperable framework in the EU that would enable users to rely on a single contact tracing application regardless of the Member State or region in which they reside.

On May 29, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted formal comments to the European Commission’s Consultation on a European Strategy for Data (the “Strategy”).

On June 2, 2020, the European Data Protection Board (the “EDPB”) announced that it had released a statement on restrictions on data subject rights in connection with the state of emergency in EU Member States amid the COVID-19 pandemic (the “Statement”).

On May 18, 2020, the European Data Protection Board (“EDPB”) released its Annual Report (the “Report”) providing details of the EDPB’s work in 2019. This included publication of guidelines, binding decisions and general guidance on the interpretation of EU data protection law.

On May 6, 2020, the European Data Protection Board (the “EDPB”) published its Guidelines 05/2020 (the “EDPB Guidelines”) on consent under the EU General Data Protection Regulation (the “GDPR”). The EDPB Guidelines are a slightly updated version of the Article 29 Working Party’s Guidelines on consent under the GDPR (the WP29 Guidelines), which were adopted in April 2018 and endorsed by the EDPB in its first Plenary meeting.

On April 28, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Commission’s consultation on its roadmap for the two-year evaluation of the EU General Data Protection Regulation (“GDPR”) (the “Response”).

As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational and legal challenges. There also are key data protection considerations for businesses in connection with the COVID-19 pandemic, including compliance with the requirements around the processing of personal data for health monitoring purposes, crisis management issues and steps to be implemented to ensure the continuity of privacy compliance programs.

On April 21, 2020, the European Data Protection Board (“EDPB”) adopted Guidelines on the processing of health data for scientific purposes in the context of the COVID-19 pandemic. The aim of the Guidelines is to provide clarity on the most urgent matters relating to health data, such as legal basis for processing, the implementation of adequate safeguards and the exercise of data subject rights.

On April 14, 2020, the European Data Protection Board (“EDPB”) adopted a letter concerning the European Commission's (the “Commission”) draft Guidance on apps supporting the fight against the COVID-19 pandemic. This letter was written to the Commission following the Commission’s adoption of a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the pandemic on April 8, 2020.

On April 7, 2020, the European Data Protection Board (the “EDPB”) announced that it had assigned mandates to its expert subgroups to develop guidance on several aspects of data processing amidst the COVID-19 crisis.

On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).

To help facilitate data sharing in light of the COVID-19 pandemic, the Global Privacy Assembly has begun compiling the latest guidance from data protection authorities around the world on data protection and data sharing. As of this blog post, the list contains guidance from 26 countries and territories across the globe as well the European Data Protection Board and the United Nations Special Rapporteurs. The list will be updated as additional guidance is provided.

On March 19, 2020, the European Data Protection Board (“EDPB”) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that emergency is a legal condition which may legitimize restrictions of individual freedoms, provided that these restrictions are proportionate and limited to the emergency period. Several considerations come into play in weighing the lawful processing of personal data in these circumstances.

On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).

On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.

At its 15th plenary meeting, the European Data Protection Board (“EDPB”) adopted the final guidelines on the territorial scope of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”), taking into account the feedback it received during the public consultation of its draft guidelines published on November 23, 2018.

On November 13, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 4/2019 (the “Guidelines”) on the obligation of Data Protection by Design and by Default (“DPbDD”) set out under Article 25 of the EU General Data Protection Regulation (“GDPR”).

On November 18, 2019, Hunton Andrews Kurth will host a networking luncheon in the firm’s Brussels office. The luncheon will feature Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board ("EDPB"), and will focus on the role of the EDPB and cooperation between supervisory authorities ("SAs") in cross-border matters.

The European Data Protection Board recently published on its website that the Austrian Data Protection Authority (“Austrian DPA”) imposed an €18 million fine (approximately $20 million) on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”), for various violations of the EU General Data Protection Regulation (“GDPR”). After conducting an investigation, the Austrian DPA established that ÖPAG unlawfully processed and sold data with respect to its customers’ alleged political affinities. Another GDPR violation was related to the ÖPAG’s ...

On September 17, 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz, (“DSK”) examined a proposal for calculating administrative fines under the EU General Data Protection Regulation (“GDPR”).  The press release of the DSK states that this initiative aims to ensure a calculation of fines against violations of the GDPR that is “systematic, transparent and understandable.” However, the press release refrains from describing the criteria of the fining model officially, as the fining model has not yet been adopted by the DSK.

On September 6, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on processing of personal data through video devices (the “Guidelines”). The Guidelines were adopted on July 10, 2019, for public consultation.