Most U.S. companies by now have modified their business practices to comply with the General Data Protection Regulation (GDPR). However, when it comes to the use of analytics technologies such as Google Analytics, the compliance requirements are less clear given the added applicability of the EU “Cookies Directive” (formally, the EU Directive 2002/58/EC) which regulates the use of cookies alongside GDPR-imposed consent requirements. Although implementation of the Cookies Directive varies from country to country in the EU, a decision issued by one national authority can be suggestive of future action. Last year, France’s data protection authority, the French Commission Nationale de l’Informatique et des Libertés (CNIL), issued an important interpretation of the Cookies Directive as it relates to the use of Google Analytics on a website accessible by EU/EEA residents.

The clock is ticking! The deadline for switching to the new EU Standard Contractual Clauses (SCC) for data transfers between the EU and non-EU countries is December 27, 2022. As of that date, data controllers and processors around the world that process the personal data of EU residents will no longer be able to rely on the old SCCs without violating the General Data Protection Regulation (GDPR). In other words, companies are legally obligated to replace all previously used SCCs with the new ones, and should be able to demonstrate having done so in case of an audit.  

Since 2018, the General Data Protection Regulation (GDPR) has wielded a significant impact on privacy practices across the globe. Aside from offering strong protection for the personal data of European Union citizens, GDPR has effected many changes in the way companies conduct business when EU data is part of the equation. Likewise, it has become the gold standard and a model for privacy legislation in many jurisdictions within the United States, as well as around the world.

The General Date Protection Regulation (GDPR) made its debut on the global privacy stage in 2018, and now, three years later, most U.S. companies doing business in the EU are well-aware of the regulation’s main provisions and their daily operational impact. However, the GDPR’s rules are expansive; and as a result, some of its “lesser known” articles have been overlooked by a number of smaller companies with limited in-house privacy resources.

Since the adoption of the General Data Protection Regulation (GDPR), U.S. companies have invested a great deal of time and money in their compliance efforts; yet for many, their work is far from complete. For U.S. data importers, the July 2020 invalidation of the EU-U.S. Privacy Shield has left former “self-certified Shield” companies forced to find a new mechanism by which to lawfully transfer EU data into the U.S. Many of these companies will likely adopt the new set of standard contractual clauses (SCCs), once they are finalized by the European Commission.

After years of uncertainty, the fate of the EU-U.S. Privacy Shield (“Shield”) has finally been determined. On July 16^th, the EU’s highest court, the Court of Justice of the European Union (CJEU), declared the Shield to be invalid as a lawful mechanism for transferring the personal data of EU residents to the U.S.

If a poll was taken of all U.S. companies using the personal information of European Union (EU) residents in connection with their business activities, most would report having taken steps to comply with the General Data Protection Regulation (GDPR). If you asked the same businesses what they have done to comply with the EU ePrivacy Directive of 2002 (also known as the “Cookies” Directive)[1], which regulates the use of cookies and other tracking technologies, many would need to admit they have not done anything. 

New York-area member Stephan Grynwajc recently wrote an article comparing the key terms of the EU's General Data Protection Regulation (GDPR) and California's Consumer Protection Act (CCPA), which was featured on the blog of our UK partners, Legal Edge.