Posts relating to exporting personal data from the European Economic Area
A fascinating panel at the PrivSec Global conference looked at how individual courts and regulators have responded to the Schrems II decision on international transfers of personal data. That decision, and the subsequent guidance from the European Data Protection Board, aimed to establish a consistent regime for transferring personal data from the EEA to external […]
The ICO’s proposals for international transfers seem closer to the actual findings of the Schrems II case than the EDPB’s effective demand that processing of non-pseudonymised data be kept within Europe. However, as a risk-based scheme, it will require more work from both exporters and importers to demonstrate that transferring doesn’t create significantly greater risk […]
For the past twenty-five years I’ve tried to avoid saying “no”. Whether in website management, security or law, “have you thought of…?” seems much more fruitful. In the short term it lets us discuss alternatives, in the long term it encourages – or at least doesn’t discourage – the questioner to come back. So it […]
The European Data Protection Board (the gathering of all EU Data Protection Regulators) has now published its initial guidance on transfers out of the EEA following the Schrems II case. This recommends that exporting organisations follow a similar roadmap to the earlier one from the European Data Protection Supervisor (who regulates the EU institutions). In […]
The European Data Protection Supervisor (EDPS) has responded to the Schrems II judgment with a risk-based roadmap for EU institutions: Perform an inventory of all flows of personal data to entities outside the EU; Priority for change will be existing transfers with either no legal basis, those based on a derogation, and those to organisations […]
After a couple of years when the question of data location had dropped a little down the priority list, two things have pushed it back up again. First, the Schrems II decision of the European Court, which cancelled the US-EU Privacy Shield and added some – but it’s not yet clear how onerous – new […]
Colleagues set me the challenge of saying something about my work in one minute. So here (on YouTube) is a “peacast” – my wife says it’s too small to be a “podcast” – on Brexit and GDPR: Comments very welcome on the format and, if you like it, suggestions for any other topics I could […]
The recent Schrems II decision on Standard Contractual Clauses found that, in some situations, data exporters and importers might need to agree additional measures beyond just relying on SCCs. While we’re waiting for the Information Commissioner and EDPB to give more detailed advice on which situations and which measures, here are some themes I’ve spotted […]
[UPDATE 27/7/20: the ICO has now published a statement on the decision] On July 16th 2020, the European Court of Justice made its long-awaited decision in the case of Data Protection Commissioner [Ireland] v Facebook Ireland Ltd and Maximillian Schrems, generally known as “Schrems II”. This concerned two of the GDPR’s mechanisms for transferring personal […]
I was recently invited by EDUCAUSE to present a webinar on GDPR to their community of mostly North American universities and colleges. The number of participants indicates that European data protection law is a topic of interest. But the most common question was why, as non-EU organisations, they should care about GDPR. So I wrote […]