In a judgment of August 1, 2022, the Court of Justice of the European Union (CJEU) provided further guidance on two important aspects of the General Data Protection Regulation (GDPR) (CJEU C-184/20). In summary, the CJEU held that, first, for a national law that imposes a legal obligation to process personal data to be able to constitute a legal basis for processing, it needs to be lawful, meaning that it must meet an objective of public interest and be proportionate to the legitimate aim pursued, and second, that non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of personal data.Continue Reading Processing of Personal Data That May Indirectly Reveal Sensitive Information on the Basis of a Legal Obligation: The CJEU Draws the Contours

At 9:30 a.m. Central European Time, privacy professionals around the world were refreshing their browsers to read the long-awaited judgment of the Court of Justice of the European Union (CJEU) principally addressing the viability of Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield (Privacy Shield) as means to transfer personal data from the European Union (EU) to the United States (U.S.).

When the judgment arrived, it landed with a bang: though the CJEU upheld the use of SCCs, it invalidated the Privacy Shield, the well-known mechanism to transfer personal data from the EU to the U.S.  The decision also cast doubt on the viability of other options, including SCCs, for making transatlantic transfers.

The foundation of this decision and previous decisions affirming challenges to U.S. privacy practices is that the protection of personal data is a fundamental right in the EU, akin to a constitutional right in the U.S.  The General Data Protection Regulation (GDPR) enshrined these fundamental rights and established uniform data protection standards across the EU designed to protect the personal data of EU-based individuals.Continue Reading Privacy Shield Invalidated: EU Data Transfers to the U.S. under Siege (again…)