The European Commission has issued a new set of standard contractual clauses (“SCCs”) to address new requirements under the GDPR, changes in the digital economy, but most importantly the European Court’s judgment in Schrems II requiring supplementary measures for some exports. The new SCCs are comprehensive and fill some gaps; but they require data importers and exporters to invest significantly in documenting how they will overcome local government surveillance laws.
A lot has been made of the liability and transparency provisions of the EU’s proposed Digital Services Act.
However, there are also a few advertising-specific obligations (proposed to be) coming for online platforms that deserve a closer look.
The quickest-possible look at the EU’s draft Digital Services Act and proposed new obligations for intermediaries and online platforms.
Eden Legal will return with additional posts on: (1) liability for illegal content; and (2) specific adtech-related obligations, under the proposed Regulation.
#Lawinagraphic – minimum wordiness, maximum user-friendliness.
The European Commission has put forward a proposed Regulation on a European Approach for Artificial Intelligence, also known as the “Artificial Intelligence Act”. It’s a proposal and before entering into application faces a likely lengthy path through the EU institutions which seems bound to produce a hefty amount of debate and amendments.
Smart contracts are here. Eden Legal’s very initial, very personal thoughts on them.
Everything you need to know about appointing an EU and/or UK representative as required by the GDPR.
Update 14 February 2021: under the EU Council’s agreed position on the future E-Privacy Regulation, providers of electronic communications services, providers of publicly available directories, senders of direct marketing over electronic communications services, and anyone using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment (i.e. adtech!) will also be required to appoint a representative in the EU and communicate it to the relevant national supervisory authority.
The EU-UK Trade and Cooperation Agreement has avoided major changes to personal data flows between the EEA and UK at least until 30 April 2021. However, if we process data of individuals in both the EEA and the UK, then we face the prospect of complying with two similar but distinct regulatory regimes.
If you’re handling personal data subject to EU (and/or UK) laws then you would do well to read the UK Information Commissioner’s (“ICO”) decisions to fine Marriott and BA for failures to have in place appropriate cyber-security measures. And this post for 10 more easily digestible takeaways.
The Court of Justice of the EU has struck down the EU Commission’s EU-U.S. Privacy Shield Framework decision, but in principle left in place the EU Commission’s Standard Contractual Clauses, which organisations can sign in order to impose EU-style data protection obligations on non-EU data importers. For now, where we used to rely the Privacy Shield framework, the pragmatic approach may be to sign SCCs – but the story won’t end there.
The EU-U.S. Privacy Shield framework may be an interesting tool to permit international transfers of personal data without any other permissions or contracts.
UPDATE: The Privacy Shield framework remains in place and we can still apply to be certified, but on 16 July 2020, the EU Court of Justice decided that it could no longer be used to authorise transfers of personal data from the EU/EEA/UK to the USA, and other mechanisms need to be used.