To embed, copy and paste the code into your website or blog:
Nearly half of all websites use cookies small text files stored on internet users’ computers and mobile devices so web servers can track that user. Cookies come in a variety of flavors in terms of their purpose, the party placing the cookie, and the duration they last on a user’s device. For example, a cookie may have a functional (
ex. cookies that remember visitors’ preferred language), analytical (
ex. cookies that report site usage statistics), or advertising/marketing purpose (
ex. cookies used to retarget advertising to visitors). “First-party cookies” are placed directly by the website being visited while “third-party cookies” are set by another party other than the website’s owner. “Session cookies” are deleted after the user’s session on the website ends while “persistent cookies” can last from days to years after the end of the user’s session.
To embed, copy and paste the code into your website or blog:
The EU-UK Trade and Cooperation Agreement provided breathing room for businesses engaging in data transfers from the EU to the UK in the form of a ‘bridging period’ of up to six months where such transfers can continue uninterrupted (see our previous
OnPointhere). However, the longer term goal of an adequacy decision for the UK is still key to ensuring free flows of personal data between the EU and the UK.
In the last week, positive sounds have been made by both the UK and the EU. According to Joe Jones (Head of International Data Transfer Regime at the UK Department of Digital, Culture, Media and Sport), who was speaking at a City of London Corporation’s International Regulatory Strategy Group (IRSG) Data Workstream meeting, the European Commission has already produced a draft adequacy decision. Bruno Gencarelli (Jones’ counterpart at the European Commission) has also given an update on timing, saying at an IAP
Background – how could the EU set out these
guidelines?
Two weeks ago, the EU, via the European Data Protection Board
(“EDPB”), published their guideline on how to transfer
personal data outside the EU. It is a consequence of the ECJ s
so-called Schrems II judgment. Those who hoped that the guideline
would simplify third country transfers, were not satisfied. It is
tempting to say that these guidelines are causing more stir and
change of business models than the introduction of GDPR itself.
The EU is actually saying that many cloud set-ups have been
designed and sold in a way that was not compliant with GDPR (nor
International data transfers need a flexible and risk-based approach
The European Data Protection Board draft recommendations 01/2020 on “measures that supplement international transfer tools to ensure compliance with the EU level of protection of personal data” provide useful further guidance on how to comply with the CJEU ruling in Schrems II.
However, practical implementation of these recommendations will be very difficult for organizations. Some technical and contractual measures mentioned by the EDPB do not seem very realistic and effective for data access by public authorities and for organizations that routinely transfer data as part of their activities
For GDPR compliance, the EDPB and regulators throughout the EU have been calling for organizations to take a “risk-based approach”. It now seems that for international data transfers, the EDPB is departing from this and has a more restrictive approach which looks contrary to, for instance, the European Commissi
February 1, 2021
For the third consecutive year, following the publication of Gibson Dunn’s ninth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day, we offer this separate International Outlook and Review.
Like many recent years, 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape in the European Union (“
EU”):
CJEU” or “
Court”) struck down as legally invalid the EU-U.S. Privacy Shield, on which some companies relied to transfer personal data from the EU to the U.S. While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“