Since the adoption of the General Data Protection Regulation (GDPR), U.S. companies have invested a great deal of time and money in their compliance efforts; yet for many, their work is far from complete. For U.S. data importers, the July 2020 invalidation of the EU-U.S. Privacy Shield has left former “self-certified Shield” companies forced to find a new mechanism by which to lawfully transfer EU data into the U.S. Many of these companies will likely adopt the new set of standard contractual clauses (SCCs), once they are finalized by the European Commission.

After years of uncertainty, the fate of the EU-U.S. Privacy Shield (“Shield”) has finally been determined. On July 16^th, the EU’s highest court, the Court of Justice of the European Union (CJEU), declared the Shield to be invalid as a lawful mechanism for transferring the personal data of EU residents to the U.S.

If a poll was taken of all U.S. companies using the personal information of European Union (EU) residents in connection with their business activities, most would report having taken steps to comply with the General Data Protection Regulation (GDPR). If you asked the same businesses what they have done to comply with the EU ePrivacy Directive of 2002 (also known as the “Cookies” Directive)[1], which regulates the use of cookies and other tracking technologies, many would need to admit they have not done anything. 

New York-area member Stephan Grynwajc recently wrote an article comparing the key terms of the EU's General Data Protection Regulation (GDPR) and California's Consumer Protection Act (CCPA), which was featured on the blog of our UK partners, Legal Edge. 

Many U.S.-based life sciences companies outsource their clinical trial needs to laboratories outside of the U.S., including labs located in the European Union (EU). Others conducting clinical trials in the U.S. may be involved with the collection and processing of EU patients’ data in some other capacity. Despite the benefits of such international cooperation, these arrangements trigger an array of compliance obligations for U.S. companies under a number of EU laws[1], including the General Data Protection Regulation (GDPR) and its rules pertaining to data processing activities.

The novel coronavirus has upended business operations on a global scale, and mitigation efforts continue to be implemented to help organizations stay afloat during this unprecedented pandemic. On March 19th, the European Data Protection Board (EDPB), an informal working group comprised of representatives of each of the national data protection authorities in the EU, issued a statement regarding data processing activities during this public health crisis, emphasizing that while data protection rules should not hinder the fight against COVID-19, it is still imperative that certain prescribed steps be taken to ensure the protection of personal data.

Despite the global angst preceding the GDRP’s effective date, there’s been seemingly little news about enforcement efforts against noncompliant businesses. But, the reality is that EU regulators have been very busy working behind the scenes. As of February, 2019, nearly 100,000 claims under the GDPR have been lodged with EU national data protection authorities (“DPAs”), many relating to telemarketing and promotional e-mails. Similarly, just over 40,000 data breaches were reported to the DPAs; and 255 investigations into EU cross-border processing activities were initiated, mostly as a result of complaints filed by individuals.

The EU’s sweeping data privacy law – GDPR (General Data Protection Regulation) – will celebrate its one year anniversary later this month. In this time, the GDPR is credited with, among other things, inspiring other jurisdictions, including the United States, to adopt similar legislation designed to protect the rights of individuals over their personal data and increase the transparency of data collection and processing activities.