By: Kelly Hagedorn, David P. Saunders, and Matthew Worby

Earlier this year, in Schrems II, the Court of Justice of the EU (CJEU) invalidated the EU-US Privacy Shield.[1] That judgment also cast doubt over the validity of standard contractual clauses (SCCs) as a means by which to transfer personal data outside of the EU, in particular to the United States. Unsurprisingly, this has caused concern within organisations who rely on such transfers as part of their business model.

Data protection requirements, imposed by the GDPR, travel with any personal data whenever it is transmitted outside of the EU. Problems arise when an organisation needs to transfer personal data to a jurisdiction where local laws might undermine these protections. Without some way to manage this potential conflict, it was unclear if organisations’ personal data transfers outside of the EU would be able to continue.

Unfortunately, the CJEU provided no practical guidance for organisations as to how to make international personal data transfers compliant with its ruling and did not provide any safe harbour period before its ruling took effect. In recent days, however, two key efforts have been made to assist organisations meet their post-Schrems II GDPR requirements:

1. recommendations have been issued by the European Data Protection Board (EDPB);[2] and
2. a revised set of SCCs has been published by the European Commission for consultation.

Recommendations Issued by the EDPB

The EDPB has published a practical roadmap for organisations seeking to transfer personal data internationally in a compliant manner in the wake of Schrems II. This roadmap sets out six recommended steps:

By: David P. Saunders, Kate T. Spelman, and Effiong K. Dampha

Privacy was on the ballot this November, at least in California. And it appears that enough people voted in favor of Proposition 24, the California Privacy Rights Act (CPRA), for it to become law. Although the CPRA technically becomes effective five days after the California Secretary of State certifies the voting results, the bulk of the law – which is an overhaul of the California Consumer Privacy Act (CCPA) – will not come into force until January 1, 2023. Businesses have some time to prepare for the most significant changes, which we have written about previously. Those changes include handling a new category of “sensitive personal information,” the expansion of the existing CCPA private right of action, and mandatory changes to company privacy policies. So what happens to the CCPA, and what do businesses have to prepare for? The answer is not much in the short term.

Until the CPRA becomes fully effective in 2023, the CCPA remains in full effect. That means businesses should keep up with their CCPA compliance, including being attentive to new California Attorney General regulations. The following CPRA provisions – which largely do not impact businesses directly – will become effective once the California Secretary of State certifies the voting results:

• An extension of the carve out for business contact and employee personal information that is collected by businesses covered by the CCPA. In the existing CCPA, these carve outs were set to expire on January 1, 2021. The carve outs will now be extended to January 1, 2023.
• A Consumer Privacy Fund will be created – with appropriations to be made by the legislature – with the purpose of “offsetting the costs” of state courts and the California Attorney General enforcing the CCPA (and later the CPRA). The fund will also be used “to promote and protect consumer privacy, educate children in the area of online privacy, and fund cooperative programs with international law enforcement organizations” in connection with addressing consumer data breaches.
• The California Attorney General will be charged with developing a laundry list of new regulations, which will put meat on the bones of many of the new CPRA rules.
• A new state agency, the California Privacy Protection Agency, will be created, funded, and begin operations.