On March 15, 2021, the state Data Protection Authority of Bavaria declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine in Bavaria impermissible due to lack of compliance with Schrems II mitigation steps for the transfer of e-mail addresses to the U.S.
Continue Reading Bavarian DPA Declares Transfers to E-mail Marketing Service Prohibited Due to Lack of Controller’s Assessment and Supplementary Measures

On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.
Continue Reading EDPB Releases Guidelines on Virtual Voice Assistants

On February 19, 2021, the European Commission published a draft data protection adequacy decision relating to the UK. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection.
Continue Reading European Commission Publishes Draft UK Data Transfer Adequacy Determination

On January 26, 2021, BBB National Programs announced that it has been endorsed as an Accountability Agent for the APEC Cross-Border Privacy Rules and Privacy Recognition for Processors systems. This makes BBB National Programs the seventh CBPR and PRP Accountability Agent worldwide and the first ever U.S. non-profit to be approved by APEC.
Continue Reading APEC Endorses the First U.S. Non-Profit Accountability Agent

On January 15, 2020, the European Data Protection Board and European Data Protection Supervisor adopted joint opinions on the draft Standard Contractual Clauses released by the European Commission in November 2020, both for international transfers and for controller-processor relationships within the EEA.
Continue Reading EDPB and EDPS Adopt Joint Opinions on Draft SCCs

On January 13, 2021, the FTC announced that fertility-app developer Flo Health, Inc. (“Flo”) agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers despite representations that Flo would keep such information private.
Continue Reading FTC Settles with Fertility-Tracking App Developer Regarding Health Data Disclosures

On November 23, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth submitted its response to the European Data Protection Board consultation on draft guidelines on relevant and reasoned objections under the General Data Protection Regulation cooperation and consistency mechanisms. This posts provides an overview of the EDPB’s guidelines and highlights CIPL’s response.
Continue Reading CIPL Submits Response to the EDPB Guidelines 09/2020 on Relevant and Reasoned Objections under the GDPR

Lexology’s Getting the Deal Through releases its 2021 guide on Data Protection and Privacy. Hunton’s privacy and cybersecurity team members serve as contributing editors of the guide and have authored multiple chapters, including on Belgium, the UK and United States. This blog entry provides a link to download the guide.
Continue Reading Hunton Privacy Team Contributes to 2021 Getting the Deal Through Guide on Data Protection and Privacy

On December 24, 2020, the European Union and the United Kingdom reached an agreement in principle on the historic EU-UK Trade and Cooperation Agreement. For data protection purposes, there is a further transition period of up to six months to enable the European Commission to complete its adequacy assessment of the UK’s data protection laws. For the time being, personal data can continue to be exported from the EU to the UK without implementing additional safeguards.
Continue Reading EU-UK Trade Deal: What It Means For Post-Brexit Data Flows