UK Extension
Following the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF) (for further information see here), the UK Government has announced that from 12 October 2023, organisations in the UK can transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework”
Continue Reading UK: EU-UK Data Privacy Framework ExtensionCJEU’s landmark decision in Meta vs Bundeskartellamt allows GDPR scrutiny through antitrust regulators and imposes strict limitations on the personalised use of consumers’ personal data by social media platforms
By Verena Grentzenberg, Philipp Schmechel, Dr. Jonas Kranz
On 4 July 2023, the European Court of Justice (“CJEU”) delivered its judgment in Meta vs
Continue Reading EU: CJEU’s landmark decision in Meta vs BundeskartellamtAuthors: Jim Sullivan, Rachel De Souza, Heidi Waem, John Magee and David Brazil
On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF replaces the Privacy Shield Framework (Privacy Shield) which was invalidated by the Schrems II decision of
Continue Reading European Commission adopts new adequacy decision for EU-US data flowsAuthors: Jim Sullivan, Rachel De Souza, Heidi Waem, John Magee and David Brazil
On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF replaces the Privacy Shield Framework (Privacy Shield) which was invalidated by the Schrems II decision of
Continue Reading European Commission adopts new adequacy decision for EU-US data flowsGlobal flows of personal data have been a source of geopolitical concern for many years now. The Court of Justice of the European Union’s “Schrems II” judgement has revived the debate and organisations around the world now have to map personal data flows and conduct transfer impact assessments, while patiently awaiting the developments around the
Continue Reading EU: International data transfer rules for non-personal dataWith the Cyberspace Administration of China’s (“CAC”) release last week of the Guidelines for Filing of Standard Contracts for Cross-border transfers of Personal Information (“Guidelines”), organisations processing Mainland China personal data must now turn their attention to the China Standard Contractual Clauses (“China SCCs”) route for legitimizing their cross-border
Continue Reading CHINA: China SCCs filing procedure now published – more preparation work must be done, and filings will be scrutinizedDecision could imperil other companies’ transatlantic transfers as well
By: John Magee, Andrew Dyson, James Sullivan, Andrew Serwin, Claire O’Brien & Rachel De Souza
The Irish Data Protection Commission (DPC) has published a decision that could impact the ability of thousands of companies to move personal data from the European Economic Area (
Continue Reading Ireland/EU: Irish DPC bans Meta’s EU-US data flows and issues record €1.2bn fine
On 26th April, the General Court of the European Union (EGC), published its judgment in Case T-557/20, Single Resolution Board (SRB) v European Data Protection Supervisor (EDPS), in relation to the threshold between pseudonymous and anonymous data.
The EGC held that pseudonymised data transmitted to a data
Continue Reading Europe: EU General Court Clarifies When Pseudonymized Data is Considered Personal Data
On 4 May 2023, European Court of Justice (“CJEU”) delivered its judgment regarding the interpretation of Article 82 of the General Data Protection Regulation (“GDPR”). The CJEU held that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material
Continue Reading Europe: CJEU holds that mere infringement of the GDPR does not give rise to a right to compensation
Authors: Verena Grentzenberg and Katja-Maria Harsdorf
On 20 April 2023, the Advocate General (“AG”), Nicholas Emiliou, published his Opinion in the case of FT v DW, (C-307/22). In particular, the AG took the view that Art. 12(5) and Art. 15(3) GDPR must be interpreted as requiring a data controller to provide the
Continue Reading Europe: Advocate General delivers Opinion on the right of access for purposes unrelated to data protection
