Photo of Natascha Gerlach

Natascha Gerlach’s practice focuses on electronic discovery and European data protection law.

The past few years have brought monumental changes to how we handle international data transfers from the EU. Schrems I, GDPR, Schrems II, Brexit and now the new Standard Contractual Clauses, published in June, 2021.

Here we share our views on improvements and challenges this modernised version of the SCCs has brought and how it

Main Takeaways

Recommendations 01/2020 of the European Data Protection Board (the “EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Recommendations”)[1] attempt to provide a step-by-step roadmap to help EU data exporters transfer personal data outside the EU to third countries in a manner consistent with the judgment of the Court of Justice of the European Union (the “CJEU”) handed down on July 16, 2020, in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, further described in Section 1 below).[2] The Recommendations were published on November 11, 2020 and can be relied upon immediately, even though they are subject to public consultation, with comments being due prior to December 21, 2020.
Continue Reading Recommendations of the EDPB Further to the CJEU’s Schrems II Judgment: One Step Forward, Two Steps Back?

In a highly-anticipated landmark judgment handed down on July 16, 2020, the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, summarised in part 3. below and the full text of which can be accessed here) has:

  • invalidated the European Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Data Protection Shield (the “EU-US Privacy Shield”) for transfer of personal data from the EU to entities certified under the mechanism located in the United States;
  • upheld the European Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established outside the EU (the “SCCs”); and
  • reminded that a transfer of data based on SCCs may be challenged before the competent supervisory authority, which has to “suspend or prohibit”, on a case-by-case basis, any such transfer when, in its view, the SCCs “are not or cannot be complied with.”


Continue Reading Schrems II: The CJEU Declares EU-U.S. Privacy Shield Invalid, Upholds the SCCs And Calls On 27 Supervisory Authorities to Ensure Their Compliance

On April 28, 2020, the Belgian data protection authority (the Gegevensbeschermingsautoriteit / Autorité de protection des données, the “Belgian DPA”), handed down a decision imposing a €50,000 fine on Proximus, Belgium’s largest telecommunications operator, on the ground that Proximus had failed to protect its data protection officer (“DPO”) from conflicts

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2020”.

Increased regulation continues to be the trend in data privacy law, with 2019 bringing forth a host of new regulations and guidance on existing laws. This year, the pace will not likely

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a decision outlining the requirements for a user to consent to a service provider’s use of cookies.[1],  The Court held that active consent is required, and thus requiring a user to deselect a pre-checked tracking cookie notice in order to disallow the use of cookies does not sufficiently constitute consent to the collection and use of data under EU law.
Continue Reading The Way the Cookie Crumbles: CJEU Clarifies European Data Protection Rules for the Use of Cookies

On September 24, 2019[1], the Court of Justice of the European Union (the “CJEU”) handed down its much anticipated follow-on judgment[2] in connection with an individual’s right to have links removed from search results displayed following a search of that individual’s name on Google’s search engine.

Building on its recognition of a “right to de-referencing” in its landmark 2014 Google Spain judgment[3] (establishing the so-called “right to be forgotten” or “RTBF”), the CJEU now further clarified the territorial scope of such right, and limited the de-referencing obligation to Google’s search engine websites corresponding to EU Member States, as opposed to all domain name extensions (e.g., the obligation applies to domain names with top-level domain (“TLDs”) corresponding to EU Member States, such as “google.fr” for France or “google.be” for Belgium). The Court added that Google may need to use, “where necessary”, measures effectively preventing or seriously discouraging an internet user from accessing (on other versions of the search engine, which are not subject to the de-referencing obligation) the links at issue from an EU Member State. As a consequence, Google has no obligation to remove the links at issue on all Google websites worldwide (such as on “google.com”), but may need to implement sufficiently effective measures to prevent Internet users from accessing the links from the EU.
Continue Reading RTBF Stops at the Border: CJEU Sides with Google on the Scope of De-Referencing

While the EU General Data Protection Regulation 2016/679 (the “GDPR”) has grabbed headlines due to its extraterritorial reach and administrative fining regime (which permits fines for non-compliance up to the higher of €20 million or 4% of global, annual turnover),[1] a recent decision in the Northern District of California – Finjan v. Zscaler (“Finjan”)[2] – suggests that U.S. Courts won’t view the EU data protection legislation as an absolute obstacle to domestic discovery.  Finjan, as the first post-GDPR ruling of its kind, suggests that it will be business as usual navigating between U.S. civil discovery and EU law, at least from the U.S. courts’ perspective.
Continue Reading Can the GDPR Tip the Scales in U.S. Discovery – Finjan v. Zscaler

Responding to a request by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU’s data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on the EU data protection framework.

The preliminary assessment by the European

In February of this year the German antitrust agency, the Federal Cartel Office (“FCO”), issued a decision against Facebook regarding their handling of user data. Please see our previous blog-post detailing the FCO’s arguments here

Facebook appealed and on August 26, 2019, the Düsseldorf Court of Appeal (“DCA”) in an interim decision granted suspensive effect to Facebook’s appeal against the FCO decision.

The DCA can order suspensive effect to an appeal if it has serious doubts whether the prohibition decision is legally valid.  Despite the preliminary character of the DCA’s decision, this could represents a significant setback for the FCO and have signaling effect beyond the German borders,. The DCA made certain important points on issues of law, which it will likely not revers during its main proceedings.
Continue Reading German Court Divorces GDPR and Competition Law in Facebook Appeal