Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.

It's been more than two weeks since CJEU announced its 'Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, - even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued … Continue reading Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.

Observations on Office Re – Engineering: Privacy Offices and Research Offices

Earlier today I had the opportunity to watch the highly useful IAPP webinar entitled What Works: Benchmarking and Improving your Privacy Program. I was particularly intrigued by the comments directed at improving / re - engineering a privacy office. The presenters emphasized the constant evolution of privacy regimes on a global scale, and that today … Continue reading Observations on Office Re – Engineering: Privacy Offices and Research Offices

European Essential Guarantees Guide (‘EEGG’) is now LIVE! with myself being one of the contributors thereto.

EEGG focuses on governmental measures aimed at surveillance, interception of communications, access to personal data and storage thereof by public authorities in different countries. EEGG provides non-binding assessment by expert contributors worldwide of compliance with 'European Essential Guaranties' (summarized by the Working Party 29, the European Data Protection Board predecessor) and subsequent European Court of … Continue reading European Essential Guarantees Guide (‘EEGG’) is now LIVE! with myself being one of the contributors thereto.

Contract Negotiation Best Practices and SCCs

Given the recent CJEU decision in Schrems II with respect to standard contractual clauses (SCCs), it struck me as a good time to revisit best practices in contract negotiation. The suggestions below are the result of 18+ years' negotiating contracts in law, local government, and academia, including many with colleagues in Europe and beyond. Whether … Continue reading Contract Negotiation Best Practices and SCCs

The Aftermath of Schrems II

Much has been written about the Schrems II case since its publication 9 days ago. Rather than simply repeat what many others have said on various privacy sites, I want to provide my own take on it within the broader context of what is going on in the world today. While Schrems II invalidated the … Continue reading The Aftermath of Schrems II

DPAs’ guidances to survive in the post-‘Schrems II’ world

IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called 'Schrems II' case. The IAPP will aim to update the register on an ongoing basis. The link is below: https://iapp.org/resources/article/dpa-and-government-guidance-on-schrems-ii-2/ While privacy pros advise to seek to put in … Continue reading DPAs’ guidances to survive in the post-‘Schrems II’ world

Schrems II: what does this mean in practice?

In the flurry of (my) excitement after the Schrems II judgement I got to thinking, isn’t this what we have been saying all along? Anyone who knows me, or who has attended one of my training sessions knows that I usually start with “compliance is not just about doing the right thing, but showing you … Continue reading Schrems II: what does this mean in practice?

Ambiguous status of SCC under the ‘Schrems II’ decision

As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC. Arguments against Privacy Shield has changed little since the 'Schrems I' decision that invalidated Safe Harbour - governmental intrusion, lack of proportionality, ineffective role of ombudsperson. What is really new is that a … Continue reading Ambiguous status of SCC under the ‘Schrems II’ decision

On a crucial importance of TOMs under GDPR Article 32

DPA of Baden-Württemberg (Germany) fined a health insurance company 1'240'000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent.  The fine is quite high, especially given that there have been some mitigating factors in this case: not too many data subjects … Continue reading On a crucial importance of TOMs under GDPR Article 32

Choice:Why should we care?

At DrZero Show, I interviewed Karen Lawrence Öqvist on choice and data. She had very interesting perspective to address legal and open data related issues by relating to "choice" https://www.youtube.com/embed/j_3LxtdqxAs