EDPS opines on EU-US data exchanges for security screenings and identity verifications | The General Court dismissed Latombe's action for annulment – and the EU-US DPF is safe for now.
16 Sep: Republic of Korea EU adequacy decision | 5 Sep: Commission with 🇧🇷 Brazil draft adequacy decision – Up next: EDPB Opinion, Member States reps approval and EP "right of scrutiny" | 22 July: Commission deems 🇬🇧 UK DUAA adequate.
28 July: EDPS closes its investigation into the European Commission’s use of Microsoft 365, now deeming it compliant after previously finding serious EUDPR violations, notably on purpose limitation and international transfers.
10 July: DPC launches new investigation into China transfers. Earlier: transparency breach by failing to disclose the third countries involved and didn't explain the nature of the transfers in its privacy policy --> get compliant in six months or stop the transfers (but order paused until Oct).
NB: On 9 July, CNIL appears to have updated the webpage with that date, though there don’t seem to be any actual changes – and the PDFs are still from January. Either way, here’s a quick reminder! 💬 "CNIL TIA template is one of the best templates available to the public!"
Update 4 Jul: EDPB shared high-res diagram! Earlier: I've reviewed the final version – mostly clarifications and my annotations on the public consultation one are still valid | EDPB Guidelines on Article 48 covering official requests from third country public authorities for personal data transfers.
The EDPB has updated the cooperation procedure for BCR approvals, detailing the roles of lead DPAs, review phases and the EDPB’s opinion process. 💡 This document replaces WP263rev.01.
[19 March: The case is appealed.] The CJEU's General Court orders the European Commission to pay €400 in non-material damages for US transfers made in March 2022, when no adequacy decision or alternative safeguard was in place.
Latest: The public consultations for new SCCs (third-country importers directly subject to the GDPR), announced in Sep 2024, are delayed from Q2 to Q3 2025. 🤔
EDPB Chair Anu Talus writes the Commissioner for Justice on the Commission's review of 11 adequacy decisions adopted under Directive 95/46/EC for: Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay. And isn't entirely happy.
[15 July: Municipalities complies with Jan order + 🚨 DPA asks for EDPB opinion on the scope of a controller's documentation obligations regarding a processor's use of sub-processors] The Danish DPA's landmark decision of 2022 to ban certain use of Google products and US transfers, is still ongoing.