The European Commission has published its final Implementing Decision on new standard contractual clauses (SCCs) for the transfer of personal data to third countries.

The new SCCs have been expected for some time in order to address the entry into force of the GDPR and the requirements of that regime. The delay to the update was due partly to the European Court of Justice’s decision in Schrems II (C-311/18), and the need for the European Commission to reconcile the new SCCs with that decision. They also take into account the Joint Opinion (2/2021) of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the draft SCCs, as well as the EDPB’s draft recommendations on supplementary measures.

Continue Reading European Commission publishes finalised SCCs

The Data Protection Commission (DPC) has completed its ‘own volition’ inquiry into whether the Department of Employment Affairs and Social Protection interfered with the role of its Data Protection Officer (DPO).  The inquiry concerned the process leading to the amendment of the Department’s Privacy Statement on 6 July 2018. The DPC examined whether the Department’s DPO was involved in a proper and timely manner in the process (as required by Article 38(1) of the GDPR); and whether the DPO received instructions regarding the exercise of his tasks (contrary to Article 38(3) of the GDPR). The DPC concluded that the Department had not breached Articles 38(1) or 38(3) of the GDPR.

Continue Reading DPC completes statutory inquiry into suspected interference with role of DPO

The High Court, in a 197-page judgment, has dismissed a legal challenge against a decision by the Data Protection Commission (DPC) to commence an “own volition” inquiry into the applicant’s data transfers to its parent company in the US, and to issue a preliminary draft decision (PDD) proposing to suspend such transfers.

The applicant brought judicial review proceedings against the DPC, alleging that the inquiry and PDD were unlawful on a number of procedural grounds. In particular, the applicant claimed that the DPC had breached its legitimate expectation that the DPC would follow the statutory inquiry procedure set out in its Annual Report for 2018, on its website, and that it had adopted in other inquiries. The applicant also claimed the DPC had breached its right to fair procedures by failing to conduct an investigation/inquiry before reaching a decision. The High Court rejected all of the applicant’s grounds of challenge, finding that the DPC’s decision to commence an inquiry and issue the PDD, along with the associated procedural steps, were lawful.

The proceedings concerned the procedural rights and obligations of the parties in the context of the DPC’s inquiry following Schrems II, rather than the merits of the DPC’s preliminary views in the PDD.

Continue Reading High Court rejects procedural challenge against DPC’s inquiry into EU-US data transfers

Last Friday 21 May 2021, MEPs passed a resolution asking the EU Commission to modify its draft UK adequacy decisions, to bring them into line with recent EU court rulings and to address concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB stated that UK law and practice relating to bulk data collection, onward transfers and its international agreements in the field of intelligence sharing, need to be further assessed by the EU Commission.

Continue Reading MEPs ask European Commission to amend draft UK adequacy decisions

The Data Protection Commission (DPC) is accepting feedback on its Draft Regulatory Strategy for 2021–2026 until 30 June 2021. We have set out the key highlights of the Strategy below.

The DPC’s strategic goals are to: (i) regulate consistently and effectively; (ii) safeguard individuals and promote data protection awareness; (iii) prioritise the protection of children and other vulnerable groups; (iv) bring clarity to stakeholders; and (v) support organisations and drive compliance.

Continue Reading DPC seeks feedback on Draft Regulatory Strategy for 2021-2026

The Portuguese Data Protection Authority (known as the CNPD) has ordered the National Institute of Statistics (NIS) in Portugal to stop sending census data to the U.S. or other third countries, that do not provide an adequate level of data protection.

NIS used Cloudfare Inc. (a U.S. based company) to assist it with the collection of personal data from Portuguese citizens in 2021 Census Surveys. Following receipt of complaints about the collection of census data via the internet, the CNPD carried out an investigation into NIS. The CNPD found that NIS had a contract in place with Cloudfare Inc ., which provided for the transfer of the census data to the U.S., using the Standard Contractual Clauses (SCCs).  It noted that Cloudfare Inc., as a U.S. company, is directly subject to U.S. surveillance legislation for national security purposes, which provides U.S. public authorities with unrestricted access to personal data in its possession, without informing data subjects.

Continue Reading Portuguese Data Protection Authority suspends data transfers to the U.S.