[ad_1]
1) EU-U.S. Transatlantic Data Privacy Framework
The international data transfer landscape from Europe continues to be dynamic. The European Commission has announced that it intends to issue a draft adequacy decision for the U.S. in December 2022. The decision follows the issuing of an Executive Order in October 2022 which sets out the foundations for this Transatlantic Data Privacy Framework (“Framework”) (for more information, see our blog post here), which, once enforced, will allow organizations to transfer personal data from the EU and U.S. without the need for a data transfer mechanism, such as the European Commission’s standard contractual clauses (“SCCs”), or to conduct a transfer risk assessment to evaluate and validate such data transfers.
In 2023, we can expect to see the practical implementation of the various safeguards identified in the Executive Order, such as the establishment of an administrative complaint system and the Data Protection Review Court, as identified in the seminal Schrems II judgement in 2020. The approved text of the Framework’s adequacy decision may also be available as soon as in the spring; however, privacy interest groups (such as NOYB, whose founder Max Schrems of Schrems II fame) have already begun to criticize the Framework, and it remains to be seen whether it will be subject to legal challenge like its predecessors. Regardless, the approved text will provide much awaited clarity to organizations, and once published organizations should assess whether the Framework is available to them as a data transfer mechanism, whether they can comply with the Framework’s requirements, and/or whether it should consider an alternative data transfer mechanism.
2) New Standard Contractual Clauses to cover the transfer of personal data to importers within the scope of the GDPR
In May 2022, the European Commission published Q&A on the SCCs, which stated that it was in the process of developing a new set of SCCs to cover transfers to data importers already subject to the GDPR by virtue of Art. 3 GDPR. This follows the approach taken by the European Data Protection Board’s guidance on data transfers published in November 2021, which requires organizations to continue to assess the risks and adopt supplementary measures even though the relevant transfer does not constitute a “data transfer” (i.e. where the data importer is already subject to the GDPR). The proposed SCCs are thus designed to avoid duplicating and deviating from the obligations of the GDPR that organizations are already required to comply with, and will take into account the requirements that already apply directly to those controllers and processors under the GDPR. We understand that these proposed SCCs may be published as soon as in the spring of 2023.
3) Continued scrutiny on data transfers arising through cookie usage across Europe?
In January 2022, the Austrian data protection regulator found that a website which used free analytics from a major provider was in breach of the GDPR’s data transfer rules; in particular, the website operator (as a data exporter) was found to have failed in ensuring that personal data transferred from Europe to the U.S. was provided with an adequate level of protection (for more information, see our blog post here).
The use of these analytics and similar trackers continues to be ubiquitous across websites globally; although some providers have updated their privacy standards to address concerns, the list of European regulators that have voiced their objections has been steadily growing in 2022, and currently include the Austrian, French, Italian, German (Rhineland), Liechtensteiner, Norwegian, Dutch and Danish data protection regulators, and may be indicative of a pattern of continued enforcement into 2023.
[ad_2]
Source link
