GDPR Compliance News

Fox Rothschild monitors the latest developments in the EU's implementation of its General Data Protection Regulation to keep clients ahead of the compliance curve. See below for the latest updates from Partner Odia Kagan, Chair of GDPR Compliance and International Privacy, which can also be found on our Privacy Compliance & Data Security Blog.

Recent Blog Posts

  • German DPA Offers Guidance on Post-Schrems II Data Transfers The Data Protection Authority of Rhineland-Palatinate, Germany has issued FAQs on Schrems II, weighing in on the EU-U.S. Privacy Shield and Standard Contractual Clauses. The guidance comes on the heels of FAQs issued recently by Baden-Wuerttemberg’s DPA. Here’s what the Rhineland-Palatinate authority says about EU-U.S. Privacy Shield: Privacy Shield The EU-U.S. Privacy Shield can no longer be used as a transfer instrument. Data transfers on this basis are illegal. Those responsible must immediately switch to other transfer instruments from Chapter V of the General Data Protection Regulation... More
  • European Commission Offers Automated Vehicle Data Privacy Recommendations In a detailed report titled “Ethics of Connected and Automated Vehicles,” the European Commission sets out key data protection recommendations Connected and Automated Vehicles (CAVs) are vehicles that are both connected and automated and display one of the five levels of automation according to SAE International’s standard J3016, combined with the capacity to receive and/or send wireless information to improve the vehicle’s automated capabilities and enhance its contextual awareness. General recommendations: The acquisition and processing of static and dynamic data by CAVs should safeguard basic... More
  • EU Cloud Services Group Working on Post-Schrems II Data Transfer Solution A new post-Schrems II transfer solution for cloud services? The EU Cloud Code of Conduct General Assembly, creators of the EU Cloud Code of Conduct, announced work is underway on a proposed legal solution for the transfer of personal data outside the EU. The Cloud Code of Conduct, which defines clear requirements for cloud service providers acting as “processors” under the General Data Protection Regulation (GDPR) and is adopted broadly by the cloud market, is under review by the European Data Protection Board... More
  • Council of Europe Suggests Convention 108+ as Schrems II Data Transfer Solution “Convention 108+ (Convention 108 as amended by the protocol) is set to become the international standard on privacy and data protection in the digital age, and represents a viable tool to facilitate international data transfers while guaranteeing an appropriate level of protection for people globally,”  say Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe. “Being Party to the Convention 108+ could in the future also facilitate the case-by-case assessment... More
  • Report Highlights Data Privacy, GDPR Compliance Unknowns Related to Blockchain Blockchain and data protection: A report issued by the Law Society and Tech London Advocates & Global Tech Advocates highlights the extent of unknowns in a series of questions posed for the UK Information Commissioner’s Office. What does “all means reasonably likely to be used” mean under Recital 26 of the General Data Protection Regulation (GDPR)? Does this require an objective or subjective approach? Does the use of a blockchain automatically trigger an obligation to carry out a data protection impact assessment? Does the... More
  • Revised, Washington State Privacy Legislation Moves Forward The Washington Privacy Act is back and now includes provisions for handling personal data during a public health emergency such as a pandemic. Its provisions are closer to the European Union’s General Data Privacy Regulation (GDPR) than the California Consumer Privacy Act (CCPA) and include: Controller and processor obligations Right of correction Provisions regarding profiling Purpose specification Data minimization Mandatory Data Protection Impact Assessments, called Data Protection Assessments, in certain cases Read the full text of the bill.... More
  • Swiss Privacy Regulator Rules U.S.-Swiss Privacy Shield Not Adequate On the heels of the Court of Justice of the European Union’s decision in Schrems II, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC)  has determined that the U.S.-Swiss Privacy Shield does not meet the “requirements of adequate data protection as defined by the FADP (Swiss Federal Act on Data Protection).” It issued a policy paper offering advice on transferring data to countries not on its list of nations with adequate safeguards. Key takeaways from FDPIC decision: The FDPIC agrees with most... More
  • EU Justice Commissioner Says No Quick Fix for Schrems II There is no quick fix to the Schrems II decision, says European Union Justice Commissioner Didier Reynders.  Per Bloomberg Law: Justice Commissioner Reynders plans to finalize work by the end of this year on clauses that companies use to safely transfer data. In addition, talks with the U.S. will intensify in coming weeks on “sustainable solutions that deliver legal certainty” in line with the court ruling. Details from Bloomberg Law.... More
  • Guidance on Temperature Taking From the European Data Protection Supervisor The European Data Protection Supervisor has issued guidance on data protection and body temperature taking. Key takeaways: Basic body temperature checks designed to measure body temperature only, operated manually and not followed by registration, documentation or other processing of individuals’ personal data are, in principle, not subject to the regulation. Other systems of temperature checks, operated manually or automatically, followed by the processing of individuals’ personal data are subject to the regulation. Depending on the processing capabilities of the systems used, additional data protection... More
  • French Regulator: Photo-Taking Time Clocks Are Too Invasive Automatic photo taking is excessive as a way to monitor employee working hours and a less invasive method should be used,  French data privacy regulator CNIL told a number of employers. In its opinion, CNIL said that: Any system for controlling working hours must comply with the principle of minimization (Article 5 (1.c)) of the General Data Protection Regulation (GDPR). Data collected in this context must be adequate, relevant and limited to what is necessary. Per previous decisions by the Cour de Cassation... More