Support Centre



With the new scenario following the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), the legitimation of international data transfer flows has changed, directly impacting the regulation of the different technologies and vendors in the online advertising field. Dmitry Alekseev and Javier Arnaiz, Senior Associates at ECIJA, discuss this issue and its nuances. [This insight has been updated in July 2021 in light of the finalised EDPB Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data]

Shareholder activism resulting in unseating three directors at a Fortune 10 company. A key court decision on climate change. Progress on a sweeping EU Directive on Corporate Due Diligence and Corporate Accountability1, and new laws passed in Norway and Germany, addressing broad environmental, social, and governance ('ESG') and human rights mandatory due diligence and corporate accountability. Building on an ESG Task Force at the US Securities and Exchange Commission ('SEC') launched in March, legislation that just passed the US House of Representatives which, if passed by the Senate (challenging) and enacted, would increase public company ESG disclosures. Tara Giunta and Quinn Dang, Partner and Associate respectively at Paul Hastings LLP, unpack the evolving ESG landscape and considerations for organisations.

Following already long-standing development in the area of innovative technologies, the benefits of the digital economy are rooted in personal data collections and flows through a complex data ecosystem. Given the complexity of the digital products, systems, and services, individuals might find it hard to get their heads around the consequences that these innovative technologies and products can pose to their right to privacy and protection of their personal data. Likewise, organisations might not fully realise the extent of the consequences for individuals, society, and businesses. While some organisations might already have a robust privacy risk management, a common understanding of many aspects of this topic is still missing. Petruta Pirvan, IAPP Training Collaborator at Purpose and Means, discusses the management of privacy risks and what needs to be considered at different levels in a business.

The European Commission announced, on 4 June 2021, that it had adopted two new sets of Standard Contractual Clauses ('SCCs') on international data transfers which will accentuate the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as well as the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'). Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, provides seven key takeaways from the SCCs, highlighting what companies need to consider moving forward, including third country local laws and supervisory authority designation.

Following much anticipation, the European Commission announced, on 4 June 2021, that it had adopted two sets of Standard Contractual Clauses ('SCCs'), one for use between controllers and processors ('the Controller-Processor SCCs') and one for the transfer of personal data to third countries ('the Third Country Transfer SCCs'). This page presents all the key resources and documents organisations can rely on to address the new set of SCCs.

With the rise of the internet since the 1990s, the world has become highly interconnected. The volume of data collected and processed by companies has grown exponentially as a result of the introduction of innovative digital products and the spread of wearable technologies, the growing dominance of social media and online retail, as well as online education and research. In the last few years, the need for privacy legislation has been recognised across the Middle East and North Africa ('MENA') region with the introduction of new privacy laws. Masha Ooijevaar and Dino Wilkinson, from Clyde & Co., discuss the current privacy landscape across MENA and how companies operating in this region can create and build upon a culture of privacy.

There is a visible trend involving both greater awareness of individuals on how their personal data is processed and, as a result of that, the desire (or necessity) of the companies processing such data to increase transparency and fairness towards the users, either ex officio or as a consequence of an admonition or fine. Dmitry Alekseev and Natalia Antunez, from ECIJA, provide an overview of data collection by vehicles depending on the level of automation and purposes, alongside the challenges posed to cybersecurity and data protection.

The legal challenges presented by wearable tech undoubtedly require a multifaceted and nuanced approach. Following on from Part 2 of this series, Saba Samanian, Associate at Norton Rose Fulbright, discusses how to actively involve innovators in making such technologies privacy friendly.

New technologies may reveal shortcomings in pre-existing legislation and how the broad, 'catch-all' language employed may be insufficient. As explored in Part 1 of this series, wearable tech is one example of a development that can call the efficacy of such laws into question. In Part 2, Saba Samian, Associate at Norton Rose Fulbright, delves further into this topic, giving an overview of the issues faced when regulating new technology and how common law jurisdictions such as Canada may meet these challenges.

In recent years, digital transformation has disrupted the traditional models of education. New methods have emerged for educating students, researchers, professors, educationists, and remote learners across the globe, regardless of territorial and geographical boundaries. The bulk of this frequent transmission of knowledge through well designed learning applications is referred to as Education Technology ('Edtech'). Ololade Oloniyo, Data Privacy Practitioner and Convener at IP Law Discourse, discusses data protection considerations for the Edtech industry and the business value of privacy for Edtech companies.

While privacy laws are generally intended to be technologically neutral, rapid advancements in areas such as wearable tech may create challenges herein. Indeed, wearable tech may have serious privacy implications and reveal much of the wearer's personal data, meaning that in practice they may be more like the emperor's new clothes. In Part 1 of this series, Saba Samanian, Associate at Norton Rose Fulbright, introduces this topic and discusses possible regulatory solutions.

As almost 400 million people worldwide have been vaccinated against the Coronavirus, the prospect of 'vaccine passports' is becoming an ever-increasing reality in order to get back to normal. Petitions have already been started in the UK to try and stop this almost inevitable reality, but are they really as bad as people are expecting, and to what extent will they be infringing on our privacy? Jamal Ahmed, Global Privacy Consultant at Kazient Privacy Experts, discusses the viability of vaccine passports and the privacy concerns that come with them.