Enforcement by European DPAs against data transfers

What can organisations do if they have relied on Google Analytics to measure the effectiveness of their website? Katharina A. Weimer of Fieldfisher Germany explores the issues.

In the immediate aftermath of the ECJ ruling Schrems II (C311/18), there was a stunned silence, while companies and data protection authorities alike grappled with the consequences. The data protection authorities started issuing guidelines and opinions, making it quite clear that there was no grace period for making the necessary changes and that it was their obligation to enforce the ruling, with all its consequences. And of those there are many. Most notably, any transfer (including making available) of personal data from the EU/EEA to a recipient outside of the EU/EEA now entailed a whole host of new assessments and documentation, without the help of the Privacy Shield for transfers to the US. It seemed that all of a sudden, the question of “adequate level of safety” for the data transferred was now to be taken seriously, even for transfers to the US.

Continue reading

International Report subscribers: please login to access the full article.

If you wish to subscribe, please see our subscription information.