International Data Transfers

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.

Featured Resources Latest News and Resources Standard Contractual Clauses CJEU Cases: Schrems I & II EU-US Privacy Shield APEC Cross-Border Privacy Rules Binding Corporate Rules Regional Resources

Featured Resources

EU-US Data Privacy Framework

This page will stay updated with the latest announcements, analysis and additional resources covering the long-awaited EU-U.S. Data Privacy Framework.
Read More

Text comparison: From Privacy Shield to DPF

To aid Privacy Shield businesses in assessing any changes between the Privacy Shield principles and DPF principles, IAPP created a redlined version of the document. To streamline this review, the swapping of terms such as “Privacy Shield” for “DPF” are not highlighted, but all other changes are marked.
Read More

From Privacy Shield to the Trans-Atlantic Data Privacy Framework

The EU and U.S. announced an agreement “in principle” on a new Trans-Atlantic Data Privacy Framework framework. This infographic outlines the EU adequacy process.
Read More

Latest News and Resources

The EU-US Data Privacy Framework and next steps for data transfers

Original broadcast date: Oct. 7, 2022 In this LinkedIn Live event, IAPP's Caitlin Fennessy, CIPP/US, Alton & Bird's Peter Swire, CIPP/US, American University Washington College of Law's Alex Joel, CIPP/G, CIPP/US, and Future of Privacy Forum's Gabriela Zanfir-Fortuna discuss U.S. President Joe Biden's executive order implementing the EU-U.S. Data Privacy Framework. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

Save This

Transfer Impact Assessment Templates

Organizations around the world have begun conducting transfer impact assessments. The IAPP has published the following templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community. Read More

Save This

EU Standard Contractual Clauses (Word documents)

On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP’s Research Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document. Read More

Save This

Implications of EU-US Data Privacy Framework as adequacy decision looms

Now that U.S. President Joe Biden has issued an executive order to implement the EU-U.S. Data Privacy Framework, privacy professionals are preparing to resume transferring personal data across the Atlantic without being bound by alternative means, like standard contractual clauses, for the first time in more than two years. During a session at the IAPP Privacy. Security. Risk. 2022 conference in Austin, Texas, IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, sat down with U.S. Department... Read More

Save This

The redress mechanism in the Privacy Shield successor: On the independence and effective powers of the DPRC

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation. As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

Save This

	Frequently Asked Questions & Resources on ‘Schrems II’ (IAPP)
	White House executive order brings EU-US data flow deal closer to finish line (IAPP, October 2022)
	The EU-US Data Privacy Framework: A new era for data transfers? (IAPP, October 2022)
	‘Data transfer theater:’ The US and Israel take the stage (IAPP, October 2022)
	RIPD publishes guidelines for international data transfers (IAPP, October 2022)
	UK-US data access agreement takes effect (IAPP, October 2022)
	Sample Data Processing Agreement – Hubspot (Hubspot, September 2022)
	China cross-border data transfer mechanism and its implications (IAPP, August 2022)
	Will China’s new certification rules be a popular legal path for outbound data transfers? (IAPP, August 2022)
	Google commits to Global CBPR system (IAPP, July 2022)
	EDPB releases opinion on EU-Russia data transfers (IAPP, July 2022)
	Irish DPC files draft order to halt Meta’s data transfers to US (IAPP, July 2022)
	Data transfers in the data strategy: Understanding myth and reality (Digital Europe, June 2022)
	The Global Cross Border Privacy Rules Forum (IAPP, June 2022)
	How privacy pros can help the OECD’s cross-border efforts (IAPP, May 2022)
	CNIL issues compliance notices, Q&A for data transfers with Google Analytics (IAPP, June 2022)
	European Commission publishes Q&A on SCCs for data transfers (IAPP, May 2022)
	State of the transfer: Global data flows in focus (IAPP, April 2022)
	US Commerce Dept. announces ‘historic’ Global CBPR Forum for data transfers (IAPP, April 2022)
	Web Conference: The Latest Insights on Managing Cross-Border Data Transfers (IAPP, April 2022)
	Officials ‘thrilled’ with EU-US data flows agreement, ‘work continues’ on finalization (IAPP, April 2022)
	EU, US agree ‘in principle’ to new trans-Atlantic data agreement (IAPP, March 2022)
	Top 5 operational impacts of China’s PIPL — Part 5: International data transfers (IAPP, March 2022)
	Data portability in the EU: An obscure data subject right (IAPP, March 2022)
	Data transfers, UK GDPR reform top of mind at DPI: UK (IAPP, March 2022)
	LinkedIn Live: ‘Data Transfer Enforcement, Risk and Compliance: What You Need to Know Now’ (IAPP, February 2022)
	Privacy and security for big data processing in the financial sector (IAPP, May 2022)
	Post-‘Schrems II’: Can EU regulators set aside a risk-based approach for conducting transfer impact assessments? (IAPP, February 2022)
	Doing business across borders — A global future or a splintered internet? (IAPP, January 2022)
	EU adopts adequacy decision with South Korea (IAPP, December 2021)
	EDPB discusses data transfer guidance considerations, key points (IAPP, November 2021)
	New EDPB guidelines define international transfers: Dancing in place (IAPP, November 2021)
	A globalized CBPR framework: Peering into the future of data transfers (IAPP, November 2021)
	Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable? (IAPP, November 2021)
	Confusion about the meaning of ‘Schrems II’ impedes global data flows (IAPP, November 2021)
	LinkedIn Live: “UK International Data Transfers Consultation” (IAPP, October 2021)
	Standardizing data-processing agreements globally (IAPP, September 2021)
	Companies urge data transfer deal before US-EU Trade and Technology Council (IAPP, September 2021)
	The UK’s new plans for data transfers: An interview with Joe Jones (IAPP, September 2021)
	FAQs for UK ICO’s data transfer consultation – including approach to EU SCCs (IAPP, August 2021)
	Can the new standard contractual clauses work for small business? (IAPP, August 2021)
	EU, US trade, data flow talks back on (IAPP, September 2021)
	EU considers canceling trade, data flow talks with US (IAPP, September 2021)
	Mixed messaging around progress toward EU-US data transfer solution (IAPP, September 2021)
	EU, US progressing on data transfer resolution (IAPP, September 2021)
	Swiss DPA approves use of European Commission’s SCCs (IAPP, August 2021)
	Researchers seek to simplify transfers of EU health data (IAPP, August 2021)
	How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them (Information Technology and Innovation Foundation)
	A year after ‘Schrems II’ ruling, uncertainty remains (IAPP, July 2021)
	LinkedIn Live: “‘Schrems II’: A Year On” (IAPP, July 2021)
	EDPB adopts guidelines on codes of conduct for data transfers (IAPP, July 2021)
	The road ahead in an uncertain world of cross-border data transfers (IAPP, June 2021)
	LinkedIn Live: ‘Data Transfers in Practice’ (IAPP, June 2021)
	European Commission adopts UK adequacy decisions (IAPP, June 2021)
	Web Conference: ‘Schrems II’ Data Transfers Impact: Steps to Protect and Enable Transfers (IAPP, June 2021)
	EDPB rapporteur details board’s supplementary measures (IAPP, June 2021)
	LinkedIn Live: ‘EDPB’s New Recommendations for Post-‘Schrems II’ Data Transfers’ (IAPP, June 2021)
	EDPB’s data transfer recommendations adopt a risk-based approach with teeth (IAPP, June 2021)
	The future of data localization and cross-border transfer in China: a unified framework or a patchwork of requirements? (IAPP, June 2021)
	EU-US data transfer deal still work in progress, despite new alliance (IAPP, June 2021)
	EDPS Case Law Digest: Transfers of personal data to third countries (Office of the European Data Protection Supervisor, June 2021)
	LinkedIn Live: ‘SCC Masterclass: Keys to Implementation’ (IAPP, June 2021)
	Demystifying data transfers to US data importers: Looking at ‘Schrems II’ from a different angle (IAPP, May 2021)
	The Irish High Court judgment on EU-US data flows (IAPP, May 2021)
	Cross-Border Implications for International Companies Post-‘Schrems II’ (IAPP, May 2021)
	Why the Biden administration should ‘go big’ on global data transfers solution (IAPP, February 2021)
	Biden appoints Christopher Hoff to oversee Privacy Shield talks (IAPP, January 2021)
	Do B2B companies not based in the EU need to comply with the GDPR? (IAPP, January 2021)
	Stuck in the middle with you: When US discovery orders hit GDPR (IAPP, January 2021)
	Approved Binding Corporate Rules (IAPP, October 2020)
	CIPL white paper: A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision (CIPL, September 2020)
	NOYB survey: How companies addressed their international data transfers after the CJEU’s ruling in Schrems II (NOYB, September 2020)
	LIBE meeting scrutinizes path forward for EU-US data transfers (IAPP, September 2020)
	Is the EU’s approach to data transfers the best path forward? (IAPP, August 2020)
	EC calls for harmonization, addresses data transfers in GDPR review (IAPP, June 2020)
	A Roadmap for Cross-Border Data Flows: Future-Proofing Readiness and Cooperation in the New Data Economy (World Economic Forum, June 2020)
	The Guide to U.S. Government Practice on Global Sharing of Personal Information, Third Edition (IAPP, March 2020)
	The Privacy Advisor Podcast: What will happen to cross-border data transfers? (IAPP, October 2019)
	Critical Cybersecurity Compliance Issues for Canadian and U.S. Companies Operating across the Border (Business Law Today, June 2019)
	Privacy across borders: Enforcement and prescriptive jurisdiction (IAPP, April 2019)
	Announcing the new Cross-Border Data Forum (IAPP, October 2018)
	A look at data transfers under different data protection regulations (IAPP, August 2018)
	Countdown to GDPR: Part 3 — Cross-border data transfer (IAPP, April 2018)
	The Privacy Shield: What U.S. multinational employers need to know to enjoy the benefits of the newest EU-U.S. data transfer mechanism (IAPP, July 2016)
	Top 10 operational impacts of the GDPR: Part 4 – Cross-border data transfers (IAPP, January 2016)
	A Newbie’s Safe Harbor Odyssey (IAPP, November 2015)
	Need To Get Caught Up on Safe Harbor? We’ve Got You Covered (IAPP, October 2015)

View More Resources

Standard Contractual Clauses

EU Standard Contractual Clauses (Word documents)

Save This

Transfer Impact Assessment Templates

Save This

RIPD publishes guidelines for international data transfers

The Ibero-American Data Protection Network, the RIPD, released guidance documents for implementing standard contractual clauses for international data transfers and transfer agreements. The guidelines aim to outline how and when SCCs should be used, as well as why the clauses are necessary and appropriate. Additionally, the guidelines explain principles for responsibility when transferring data to a third country without adequate data protection measures.Full Story... Read More

Save This

How China's draft SCCs compare with EU SCCs

On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More

Save This

Bird & Bird EU Standard Contractual Clauses Generator

Bird & Bird released a web-based "Standard Contractual Clauses-generator tool aimed at assisting organizations with tailoring new SCCs. Read More

Save This

	European Commission publishes Q&A on SCCs for data transfers (IAPP, May 2022)
	Why it is unlikely the announced supplemental SCCs will materialize (IAPP, November 2021)
	Can the new standard contractual clauses work for small business? (IAPP, August 2021)
	Swiss DPA approves use of European Commission’s SCCs (IAPP, August 2021)
	Getting acclimated with updated SCCs (IAPP, June 2021)
	Top-10 do’s and don’ts for service providers implementing the new SCCs with EU customers (IAPP, June 2021)
	LinkedIn Live: ‘SCC Masterclass: Keys to Implementation’ (IAPP, June 2021)
	The updated standard contractual clauses — A new hope? (IAPP, June 2021)
	New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon (IAPP, April 2021)
	Web Conference: Making SCCs Work in Practice Today (IAPP, February 2021)
	What to expect when you’re expecting… SCCs — Canadian edition (IAPP, December 2020)
	Schrems II’: What the EDPB Recommendations and Modernized SCCs Mean for You (IAPP, December 2020)
	European Commission publishes proposed replacement SCCs (IAPP, November 2020)
	New EU SCCs: A modernized approach (IAPP, November 2020)
	What to expect on revised standard contractual clauses (IAPP, September 2020)
	Supplementing SCCs to solve surveillance shortfalls (IAPP, August 2020)
	BCRs as a robust alternative to Privacy Shield and SCCs (IAPP, July 2020)

View More Resources

CJEU Cases: Schrems I & II

Frequently Asked Questions & Resources on ‘Schrems II’

The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision. Read More

Save This

DPA and government guidance on ‘Schrems II’

This IAPP Resource Center page collects together DPA and government guidance on 'Schrems II' as it comes out. The IAPP will continue to update this page as new guidance emerges. Read More

Save This

Confusion about meaning of ‘Schrems II’ impedes global data flow

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

Save This

Guidance notes for responding to ‘Schrems II’

A series of guidance notes from Baker McKenzie on the CJEU's "Schrems II" decision is now available through the IAPP Resource Center. Read More

Save This

'Schrems II': A Year On

Original Broadcast Date: July 2021 One year ago, the Court of Justice of the European Union’s “Schrems II” decision shook the privacy profession and global data transfers by invalidating the EU-U.S. Privacy Shield Framework and calling into question broader data transfers. A year hence, the tremors continue. The decision spawned new standard contractual clauses and a host of detailed guidance on supplementary measures to ensure equivalent protection and mitigate government surveillance. And yet... Read More

Save This

	Web Conference: ‘Schrems II’ Data Transfers Impact: Steps to Protect and Enable Transfers (IAPP, June 2021)
	LinkedIn Live: ‘EDPB’s New Recommendations for Post-‘Schrems II’ Data Transfers’ (IAPP, June 2021)
	‘Schrems II’ DPA investigations and enforcement: Lessons learned (IAPP, June 2021)
	LinkedIn Live: ‘Data Transfers from the EU: Will derogations save the day?’ (IAPP, March 2021)
	Is a ‘multilateral privacy treaty’ the answer to ‘Schrems II’? (IAPP, March 2021)
	Schrems II’: How to protect against liability when using non-EEA vendors (IAPP, February 2021)
	Data transfers: Questions and answers abound, yet solutions elude (IAPP, January 2021)
	LinkedIn Live: ‘Ask the Expert: EU-US Data Transfers After ‘Schrems II’’ (IAPP, December 2020)
	The post-‘Schrems II’ road isn’t clear, but privacy pros can still take steps forward (IAPP, December 2020)
	‘Schrems II’ déjà vu: What new EDPB guidance means for Canadian businesses (IAPP, December 2020)
	LinkedIn Live: ‘Expectations from the EDPB: A discussion on the new EDPB recommendations for global data transfers’ (IAPP, November 2020)
	LinkedIn Live: ‘Immediate Reactions: EDPB Guidance on Post-Schrems Transfer Safeguards’ (IAPP, November 2020)
	A break down of EDPB’s recommendations for data transfers post-‘Schrems II’ (IAPP, November 2020)
	Web Conference: Post ‘Schrems II’: Examining Your Options and How to Action the Ruling (IAPP, October 2020)
	Web Conference: Navigating the Impact of ‘Schrems II’ and Cross-Border Data Transfers (IAPP, October 2020)
	Post-‘Schrems II’: Understanding Baden-Württemberg’s updated guidance on international data transfers (IAPP, September 2020)
	German state DPA guidance on protected usable data post-‘Schrems II’ (IAPP, September 2020)
	Can synthetic data help organizations respond to ‘Schrems II’? (IAPP, September 2020)
	When law diverges from reality: How are organizations responding to ‘Schrems II’ in practice? (IAPP, September 2020)
	Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue? (IAPP, September 2020)
	Why India needs to keep its eye on the ‘Schrems II’ ruling (IAPP, September 2020)
	How one tech vendor adapted its services in response to ‘Schrems II’ (IAPP, September 2020)
	Legal remedies to US surveillance after ‘Schrems II’ (IAPP, September 2020)
	How would India’s surveillance regime stack up in a ‘Schrems II’ scenario? (IAPP, August 2020)
	‘Schrems II’ requires a rethink of the CLOUD Act (IAPP, August 2020)
	Schrems group files complaints over EU-US data transfers (IAPP, August 2020)
	‘Schrems II’: Impact on Data Flows with Canada (IAPP, August 2020)
	Using ISO/IEC 27701 for cross-border data transfers post ‘Schrems II’ (IAPP, August 2020)
	White Paper – An Overview of US Surveillance in Light of “Schrems II” (IAPP, August 2020)
	US surveillance law and the future of trans-Atlantic data flows (IAPP, August 2020)
	Guidance notes for responding to ‘Schrems II’ (IAPP, July 2020)
	Schrems plans mid-August challenge of Facebook data transfers (IAPP, July 2020)
	Technology, media and telecommunications services after ‘Schrems II’ (IAPP, July 2020)
	What ‘Schrems II’ means for companies that rely on derogations (IAPP, July 2020)
	Using SCCs post-‘Schrems II’: Guidance from DPAs (IAPP, July 2020)
	LinkedIn Live: The ‘Schrems II’ Aftermath: A Deep Dive into SCCs (IAPP, July 2020)
	LinkedIn Live: ‘Schrems II’: The Practical Implications (IAPP, July 2020)
	LinkedIn Live: The CJEU Decision Unpacked (IAPP, July 2020)
	LinkedIn Live: ‘Schrems II’: The Immediate Aftermath (Name, July 2020)
	LinkedIn Live: The ‘Schrems II’ Decision: The Day After (IAPP, July 2020)
	CJEU ‘Schrems II’ Judgment: Action Steps for US Multinational Employers to Keep HR Data Transfers on Track (Littler, July 2020)
	Schrems, Ustaran react to CJEU’s ruling on Privacy Shield, SCCs (IAPP, July 2020)
	The show must go on (IAPP, July 2020)
	Infographic: The impact of the CJEU’s decision on ‘Schrems II’ (IAPP, July 2020)
	What does ‘Schrems II’ mean for EU-UK data flows? (IAPP, July 2020)
	What ‘Schrems II’ means for controller-to-processor SCCs (IAPP, July 2020)
	Dixon, Serwin discuss ‘Schrems II,’ future of data transfers (IAPP, July 2020)
	The ‘Schrems II’ decision: EU-US data transfers in question (IAPP, July 2020)
	‘Schrems 2.0’: 5 business impacts from the advocate general’s opinion (IAPP, January 2020)
	The advocate general’s ‘Schrems II’ opinion: What it says and means (IAPP, December 2019)
	It’s Schrems, round two (IAPP, February 2017)
	The Privacy Shield: What U.S. multinational employers need to know to enjoy the benefits of the newest EU-U.S. data transfer mechanism (IAPP, July 2016)
	European Commission formally adopts Privacy Shield (IAPP, July 2016)
	EU Member States approve Privacy Shield (IAPP, July 2016)
	Model clauses in jeopardy with Irish DPA referral to CJEU (IAPP, May 2016)
	Commission, Commerce announce new EU-US data transfer agreement (IAPP, February 2016)
	Schrems: Stop Sending Data Abroad (IAPP, December 2015)
	LIBE Committee to Commission: Why Did Safe Harbor Last 15 Years? (IAPP, October 2015)
	Following CJEU Ruling, Where Does Schrems Case Go Now? (IAPP, October 2015)
	Safe Harbor “Invalid,” Rules ECJ (IAPP, October 2015)
	Schrems Reacts to Advocate General’s Opinion on Safe Harbor (IAPP, September 2015)
	Schrems v Data Protection Commissioner Just Got a Lot More Interesting (IAPP, September 2015)
	Austrian Court Dismisses Facebook Suit; Schrems “Will Go to a Higher Court” (IAPP, July 2015)
	Safe Harbor Under Fire: You May Want To Change Your Transfer Mechanism (IAPP, May 2015)
	Video: Max Schrems on Facebook and the ECJ at DPC (IAPP, May 2015)
	Facebook Facing Increased Scrutiny in EU; WP29 Now Involved (IAPP, April 2015)
	Commission Says It Cannot Guarantee EU Privacy in U.S. Data Transfers (IAPP, March 2015)
	ECJ Hears Safe Harbor Arguments (IAPP, March 2015)
	Safe Harbor’s Final Reckoning May Begin Next Month (IAPP, February 2015)
	Facebook Class-Action Scheduled; DPA Asks Social Network for Answers (IAPP, January 2015)
	Facebook Class-Action Continues To Grow (IAPP, September 2014)
	Court Rules Facebook Must Respond to Schrems Suit (IAPP, August 2014)
	Commercial Court Punts Facebook Class-Action to Regional Court (IAPP, August 2014)
	Schrems Launches Global Class-Action Against Facebook (IAPP, August 2014)
	Irish High Court Refers Facebook Case to ECJ (IAPP, June 2014)
	Austrian Students Launch Offensive Over Spying (IAPP, July 2013)
	Europe v. Facebook Plans Suit (IAPP, December 2012)
	Law Student’s Quest Against Facebook Continues (IAPP, October 2012)
	Student To Bring Facebook Concerns to EC (IAPP, April 2012)
	Networking Site Faces Suit from Student (IAPP, February 2012)
	Activist: Facebook Will Release Data (IAPP, February 2012)
	Facebook Execs, Activist Meeting Today (IAPP, February 2012)

View More Resources

EU-US Privacy Shield

EU-US Data Privacy Framework – Guidance and Resources

On October 7, 2022, the White House released an executive order implementing the long-awaited EU-U.S. Data Privacy Framework. The European Commission concurrently announced that it will launch its adequacy determination procedure for EU personal data transferred to the United States under the arrangement. This page will stay updated with the latest guidance documents and resources covering what these new rules say, how they work and what comes next as the adequacy review process proceeds. Read More

Save This

The EU-US Data Privacy Framework and next steps for data transfers

Save This

The redress mechanism in the Privacy Shield successor: On the independence and effective powers of the DPRC

Save This

Infographic: From Privacy Shield to the Trans-Atlantic Data Privacy Framework

The EU and U.S. announced an agreement “in principle” on a new Trans-Atlantic Data Privacy Framework. This infographic outlines the EU adequacy process. Read More

Save This

Congressional Research Service – Report on the EU-U.S. Data Privacy Framework

This report on the EU-U.S. Data Privacy Framework and its supporting U.S. executive order was published by the Congressional Research Service. Read More

Save This

	LinkedIn Live: ‘What Do New EU Data Transfer Rules Mean for Privacy Shield?’ (IAPP, July 2021)
	Hoff: EU, US ‘not at the beginning’ of Privacy Shield negotiations (IAPP, July 2021)
	Privacy Shield and the UK — FAQs (Privacy Shield Framework, June 2021)
	New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon (IAPP, April 2021)
	Why the EU, US need to solve the ‘urgent’ issue around a replacement Privacy Shield (IAPP, April 2021)
	Industry gauges future of Privacy Shield replacement (IAPP, March 2021)
	Biden appoints Christopher Hoff to oversee Privacy Shield talks (IAPP, January 2021)
	Senate hearing ponders US remedies for Privacy Shield invalidation (IAPP, December 2020)
	Will Privacy Shield’s demise usher in an era of transparency? Part 2 (IAPP, October 2020)
	Israel’s Privacy Shield announcement: Tiptoeing between the EU and US (IAPP, September 2020)
	Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue? (IAPP, September 2020)
	Will Privacy Shield’s demise usher in transparency? (IAPP, August 2020)
	EU, US initiate talks on potential ‘enhanced’ Privacy Shield (IAPP, August 2020)
	The Privacy Advisor Podcast: So Privacy Shield is invalid; what to do next? (IAPP, July 2020)
	Schrems, Ustaran react to CJEU’s ruling on Privacy Shield, SCCs (IAPP, July 2020)
	The show must go on (IAPP, July 2020)
	CJEU invalidates EU-US Privacy Shield; SCCs remain valid (IAPP, July 2020)
	What Privacy Shield organizations should do in the wake of ‘Schrems II’ (IAPP, July 2020)
	The ‘Schrems II’ decision: EU-US data transfers in question (IAPP, July 2020)
	Inside the Privacy Shield annual review: Increasing common ground (IAPP, September 2019)
	Privacy Shield’s second annual review: One privacy pro’s first-hand experience (IAPP, November 2018)
	A Side-By-Side Comparison of “Privacy Shield” and the “Safe Harbor” (Bryan Cave, May 2018)
	Privacy Shield Side-by-Side Comparisons (Bryan Cave, May 2018)
	Privacy Shield Notice Requirements (U.S. Department of Commerce, January 2018)
	What Really Sank Safe Harbor? (IAPP, October 2015)

View More Resources

APEC Cross-Border Privacy Rules

Google commits to Global CBPR system

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, wrote a blog post explaining the company's plans to abide by the Global Cross-Border Privacy Rules system. Enright touted the CBPR system as "an important step toward enabling continued, trusted data flows between participating jurisdictions." He added that Google will partake in the Global CBPR Forum to discuss "practical realities of services facing fragmented privacy regulations" while imploring further consultation on "how to make ... Read More

Save This

In CBPR Forum, US pushes for more data interoperability

Politico reports the U.S. is pushing forward with various countries on the proposal for Global Cross-Border Privacy Rules despite potential friction with the EU General Data Protection Regulation. A recent meeting between 20 nations in Hawaii sought to finalize details of a global CBPR framework, which existing participants hope will include Brazil and the U.K. by year's end as well as other nations, like Bermuda and Chile, by 2023. However, unnamed EU officials indicated the CBPR framework woul... Read More

Save This

A globalized CBPR framework: Peering into the future of data transfers

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

Save This

BBB National Programs first APEC-approved US nonprofit Accountability Agent

The Asia-Pacific Economic Cooperation approved the first U.S.-based nonprofit Accountability Agent in the APEC privacy certification systems. Following its approval by a joint oversight board and the 21 APEC economies, BBB National Programs announced it becomes one of seven worldwide recognized Accountability Agents in the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems. The nonprofit will work one-on-one with companies of all sizes doing business in the 21 econom... Read More

Save This

APEC announces new US Accountability Agent for CBPR certifications

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

Save This

	Australia and Chinese Taipei join APEC’s Cross-Border Privacy Rules System (IAPP, December 2018)
	As Asia-Pacific rises and integrates, so too could the APEC Cross-Border Privacy Rules (IAPP, October 2018)
	South Korea joins APEC Cross Border Privacy Rules system (IAPP, June 2017)
	GDPR matchup: The APEC Privacy Framework and Cross-Border Privacy Rules (IAPP, May 2017)
	The APEC Cross-Border Privacy Rules—Now That We’ve Built It, Will They Come? (IAPP, September 2014)

View More Resources

Binding Corporate Rules

Approved Binding Corporate Rules

Links to some of the approved Binding Corporate Rules, as published by Mehmet Munur, CIPP/US, of Tsibouris & Associates. Read More

Save This

ICO updates guidance for BCRs

The U.K. Information Commissioner's Office published updated guidance for using binding corporate rules as a data transfer mechanism. The updates are geared toward a "simplified" approach for controllers and processors with the ICO noting it will "only request supporting documents and commitments once during the U.K. approval process." The regulator also called BCRs a "gold standard" transfer mechanism that "demonstrates your commitment to implementing appropriate safeguards."Full Story... Read More

Save This

Lithuanian DPA releases opinion on BCRs

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the EU General Data Protection Regulation. The DPA said companies cannot solely rely on the European Commission’s decision on an adequate level of protection as the main basis for data transfers. The document details who can transfer data to a third country on th... Read More

Save This

BCRs as a robust alternative to Privacy Shield and SCCs

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

Save This

Argentine DPA approves guidelines for Binding Corporate Rules

Pursuant to Resolution No. 159/2018 published Dec. 7, 2018, in the Official Gazette, the Agency of Access to Public Information (Agencia de Acceso a la Información Pública, in Spanish) approved a set of guidelines for binding corporate rules as a mechanism available to multinational companies to legitimize international data transfers within their group. BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companie... Read More

Save This

Overview on Binding Corporate rules
(European Commission, May 2018)

View More Resources

Regional Resources

Click below to navigate to resources by region.

Argentina, Brazil, Canada, China, Denmark, France, Germany, Hong Kong, India, Israel, Ireland, Italy, Japan, New Zealand, South Korea, United Kingdom, United States, Uruguay