""

 

International Data Transfers

Image

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.

Featured Resources

From Privacy Shield to the Trans-Atlantic Data Privacy Framework

The EU and U.S. announced an agreement “in principle” on a new Trans-Atlantic Data Privacy Framework framework. This infographic outlines the EU adequacy process.
Read More

Global data flows in focus

Amid the hyperfocus on trans-Atlantic flows, IAPP Global Privacy Summit 2022 attendees were also treated to insights regarding the bigger transfer picture and how key issues are being addressed on a global level. IAPP Staff Writer Joe Duball runs down the need-to-know from the various transfer conversations at GPS22.
Read More

Transfer Impact Assessment Templates

Organizations around the world have begun conducting transfer impact assessments. The IAPP has published the following templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community.
Read More


""

Latest News and Resources

EU Standard Contractual Clauses (Word documents)

On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP’s Research Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document. Read More

Google commits to Global CBPR system

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, wrote a blog post explaining the company's plans to abide by the Global Cross-Border Privacy Rules system. Enright touted the CBPR system as "an important step toward enabling continued, trusted data flows between participating jurisdictions." He added that Google will partake in the Global CBPR Forum to discuss "practical realities of services facing fragmented privacy regulations" while imploring further consultation on "how to make ... Read More

EDPB releases opinion on EU-Russia data transfers

The European Data Protection Board published an opinion on data transfers between EU member states and Russia. The board stated Russia is "no longer a contracting party" to EU legal frameworks and protocols following sanctions related to its war in Ukraine. The lack of EU recognition or an adequacy decision means transfers involving Russian companies can only occur "using one of the other transfer instruments provided for in Chapter V (of the EU General Data Protection Regulation)."Full Story... Read More

Irish DPC files draft order to halt Meta's data transfers to US

On Thursday, Ireland's Data Protection Commission sent a draft decision to its EU data protection authority counterparts in which it proposes to halt Facebook parent company Meta from transferring personal data from the EU to the U.S. If approved by the other DPAs, Meta-owned services Facebook and Instagram may be shuttered in the EU.  In July 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield Framework and cast a shadow over the use of standard contractual ... Read More

The Global Cross Border Privacy Rules Forum

Original broadcast date: June 7, 2022 In this LinkedIn Live event, IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, discusses how this new forum will work with three individuals at the center of these talks: U.S. International Trade Administration Global Data Policy Director Shannon Coe, Deputy Commissioner of Singapore’s Personal Data Protection Commission Zee Kin Yeong, and U.K. Department for Digital, Culture, Media and Sport International Data Transfers Deputy Director Joe Jones. Ac... Read More

Frequently Asked Questions & Resources on ‘Schrems II’
(IAPP)
How privacy pros can help the OECD’s cross-border efforts
(IAPP, May 2022)
CNIL issues compliance notices, Q&A for data transfers with Google Analytics
(IAPP, June 2022)
European Commission publishes Q&A on SCCs for data transfers
(IAPP, May 2022)
US Commerce Dept. announces ‘historic’ Global CBPR Forum for data transfers
(IAPP, April 2022)
Web Conference: The Latest Insights on Managing Cross-Border Data Transfers
(IAPP, April 2022)
Officials ‘thrilled’ with EU-US data flows agreement, ‘work continues’ on finalization
(IAPP, April 2022)
EU, US agree ‘in principle’ to new trans-Atlantic data agreement
(IAPP, March 2022)
Top 5 operational impacts of China’s PIPL — Part 5: International data transfers
(IAPP, March 2022)
Data portability in the EU: An obscure data subject right
(IAPP, March 2022)
Data transfers, UK GDPR reform top of mind at DPI: UK
(IAPP, March 2022)
LinkedIn Live: ‘Data Transfer Enforcement, Risk and Compliance: What You Need to Know Now’
(IAPP, February 2022)
Privacy and security for big data processing in the financial sector
(IAPP, May 2022)
Post-‘Schrems II’: Can EU regulators set aside a risk-based approach for conducting transfer impact assessments?
(IAPP, February 2022)
Doing business across borders — A global future or a splintered internet?
(IAPP, January 2022)
EU adopts adequacy decision with South Korea
(IAPP, December 2021)
EDPB discusses data transfer guidance considerations, key points
(IAPP, November 2021)
New EDPB guidelines define international transfers: Dancing in place
(IAPP, November 2021)
A globalized CBPR framework: Peering into the future of data transfers
(IAPP, November 2021)
Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable?
(IAPP, November 2021)
Confusion about the meaning of ‘Schrems II’ impedes global data flows
(IAPP, November 2021)
LinkedIn Live: “UK International Data Transfers Consultation”
(IAPP, October 2021)
Standardizing data-processing agreements globally
(IAPP, September 2021)
Companies urge data transfer deal before US-EU Trade and Technology Council
(IAPP, September 2021)
Sample Data Processing Agreement – Hubspot
(Hubspot, September 2021)
The UK’s new plans for data transfers: An interview with Joe Jones
(IAPP, September 2021)
FAQs for UK ICO’s data transfer consultation – including approach to EU SCCs
(IAPP, August 2021)
Can the new standard contractual clauses work for small business?
(IAPP, August 2021)
EU, US trade, data flow talks back on
(IAPP, September 2021)
EU considers canceling trade, data flow talks with US
(IAPP, September 2021)
Mixed messaging around progress toward EU-US data transfer solution
(IAPP, September 2021)
EU, US progressing on data transfer resolution
(IAPP, September 2021)
Swiss DPA approves use of European Commission’s SCCs
(IAPP, August 2021)
Researchers seek to simplify transfers of EU health data
(IAPP, August 2021)
How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them
(Information Technology and Innovation Foundation)
A year after ‘Schrems II’ ruling, uncertainty remains
(IAPP, July 2021)
LinkedIn Live: “‘Schrems II’: A Year On”
(IAPP, July 2021)
EDPB adopts guidelines on codes of conduct for data transfers
(IAPP, July 2021)
The road ahead in an uncertain world of cross-border data transfers
(IAPP, June 2021)
LinkedIn Live: ‘Data Transfers in Practice’
(IAPP, June 2021)
European Commission adopts UK adequacy decisions
(IAPP, June 2021)
Web Conference: ‘Schrems II’ Data Transfers Impact: Steps to Protect and Enable Transfers
(IAPP, June 2021)
EDPB rapporteur details board’s supplementary measures
(IAPP, June 2021)
LinkedIn Live: ‘EDPB’s New Recommendations for Post-‘Schrems II’ Data Transfers’
(IAPP, June 2021)
EDPB’s data transfer recommendations adopt a risk-based approach with teeth
(IAPP, June 2021)
The future of data localization and cross-border transfer in China: a unified framework or a patchwork of requirements?
(IAPP, June 2021)
EU-US data transfer deal still work in progress, despite new alliance
(IAPP, June 2021)
EDPS Case Law Digest: Transfers of personal data to third countries
(Office of the European Data Protection Supervisor, June 2021)
LinkedIn Live: ‘SCC Masterclass: Keys to Implementation’
(IAPP, June 2021)
Demystifying data transfers to US data importers: Looking at ‘Schrems II’ from a different angle
(IAPP, May 2021)
The Irish High Court judgment on EU-US data flows
(IAPP, May 2021)
Cross-Border Implications for International Companies Post-‘Schrems II’
(IAPP, May 2021)
Why the Biden administration should ‘go big’ on global data transfers solution
(IAPP, February 2021)
Biden appoints Christopher Hoff to oversee Privacy Shield talks
(IAPP, January 2021)
Do B2B companies not based in the EU need to comply with the GDPR?
(IAPP, January 2021)
Stuck in the middle with you: When US discovery orders hit GDPR
(IAPP, January 2021)
Approved Binding Corporate Rules
(IAPP, October 2020)
CIPL white paper: A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision
(CIPL, September 2020)
NOYB survey: How companies addressed their international data transfers after the CJEU’s ruling in Schrems II
(NOYB, September 2020)
LIBE meeting scrutinizes path forward for EU-US data transfers
(IAPP, September 2020)
Is the EU’s approach to data transfers the best path forward?
(IAPP, August 2020)
EC calls for harmonization, addresses data transfers in GDPR review
(IAPP, June 2020)
A Roadmap for Cross-Border Data Flows: Future-Proofing Readiness and Cooperation in the New Data Economy
(World Economic Forum, June 2020)
The Guide to U.S. Government Practice on Global Sharing of Personal Information, Third Edition
(IAPP, March 2020)
The Privacy Advisor Podcast: What will happen to cross-border data transfers?
(IAPP, October 2019)
Critical Cybersecurity Compliance Issues for Canadian and U.S. Companies Operating across the Border
(Business Law Today, June 2019)
Privacy across borders: Enforcement and prescriptive jurisdiction
(IAPP, April 2019)
Announcing the new Cross-Border Data Forum
(IAPP, October 2018)
A look at data transfers under different data protection regulations
(IAPP, August 2018)
Countdown to GDPR: Part 3 — Cross-border data transfer
(IAPP, April 2018)
The Privacy Shield: What U.S. multinational employers need to know to enjoy the benefits of the newest EU-U.S. data transfer mechanism
(IAPP, July 2016)
Top 10 operational impacts of the GDPR: Part 4 – Cross-border data transfers
(IAPP, January 2016)
A Newbie’s Safe Harbor Odyssey
(IAPP, November 2015)
Need To Get Caught Up on Safe Harbor? We’ve Got You Covered
(IAPP, October 2015)
View More Resources

Standard Contractual Clauses

EU Standard Contractual Clauses (Word documents)

On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP’s Research Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document. Read More

Transfer Impact Assessment Templates

Organizations around the world have begun conducting transfer impact assessments. The IAPP has published the following templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community. Read More

European Commission publishes Q&A on SCCs for data transfers

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”Full Story... Read More

Why it is unlikely the announced supplemental SCCs will materialize

The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers). This announcement is a change in course for the EC. W... Read More

Can the new standard contractual clauses work for small business?

The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for p... Read More

CJEU Cases: Schrems I & II

Confusion about meaning of ‘Schrems II’ impedes global data flow

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

LinkedIn Live: "'Schrems II': A Year On"

Published: July 2021 One year ago, the Court of Justice of the European Union’s “Schrems II” decision shook the privacy profession and global data transfers by invalidating the EU-U.S. Privacy Shield Framework and calling into question broader data transfers. A year hence, the tremors continue. The decision spawned new standard contractual clauses and a host of detailed guidance on supplementary measures to ensure equivalent protection and mitigate government surveillance. And yet, the phrase “... Read More

Web Conference: ‘Schrems II’ Data Transfers Impact: Steps to Protect and Enable Transfers
(IAPP, June 2021)
LinkedIn Live: ‘EDPB’s New Recommendations for Post-‘Schrems II’ Data Transfers’
(IAPP, June 2021)
‘Schrems II’ DPA investigations and enforcement: Lessons learned
(IAPP, June 2021)
LinkedIn Live: ‘Data Transfers from the EU: Will derogations save the day?’
(IAPP, March 2021)
Is a ‘multilateral privacy treaty’ the answer to ‘Schrems II’?
(IAPP, March 2021)
Schrems II’: How to protect against liability when using non-EEA vendors
(IAPP, February 2021)
Data transfers: Questions and answers abound, yet solutions elude
(IAPP, January 2021)
LinkedIn Live: ‘Ask the Expert: EU-US Data Transfers After ‘Schrems II’’
(IAPP, December 2020)
The post-‘Schrems II’ road isn’t clear, but privacy pros can still take steps forward
(IAPP, December 2020)
‘Schrems II’ déjà vu: What new EDPB guidance means for Canadian businesses
(IAPP, December 2020)
LinkedIn Live: ‘Expectations from the EDPB: A discussion on the new EDPB recommendations for global data transfers’
(IAPP, November 2020)
LinkedIn Live: ‘Immediate Reactions: EDPB Guidance on Post-Schrems Transfer Safeguards’
(IAPP, November 2020)
A break down of EDPB’s recommendations for data transfers post-‘Schrems II’
(IAPP, November 2020)
Web Conference: Post ‘Schrems II’: Examining Your Options and How to Action the Ruling
(IAPP, October 2020)
Web Conference: Navigating the Impact of ‘Schrems II’ and Cross-Border Data Transfers
(IAPP, October 2020)
Post-‘Schrems II’: Understanding Baden-Württemberg’s updated guidance on international data transfers
(IAPP, September 2020)
German state DPA guidance on protected usable data post-‘Schrems II’
(IAPP, September 2020)
Can synthetic data help organizations respond to ‘Schrems II’?
(IAPP, September 2020)
When law diverges from reality: How are organizations responding to ‘Schrems II’ in practice?
(IAPP, September 2020)
Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue?
(IAPP, September 2020)
Why India needs to keep its eye on the ‘Schrems II’ ruling
(IAPP, September 2020)
How one tech vendor adapted its services in response to ‘Schrems II’
(IAPP, September 2020)
Legal remedies to US surveillance after ‘Schrems II’
(IAPP, September 2020)
How would India’s surveillance regime stack up in a ‘Schrems II’ scenario?
(IAPP, August 2020)
‘Schrems II’ requires a rethink of the CLOUD Act
(IAPP, August 2020)
Schrems group files complaints over EU-US data transfers
(IAPP, August 2020)
‘Schrems II’: Impact on Data Flows with Canada
(IAPP, August 2020)
Using ISO/IEC 27701 for cross-border data transfers post ‘Schrems II’
(IAPP, August 2020)
White Paper – An Overview of US Surveillance in Light of “Schrems II”
(IAPP, August 2020)
US surveillance law and the future of trans-Atlantic data flows
(IAPP, August 2020)
Guidance notes for responding to ‘Schrems II’
(IAPP, July 2020)
Schrems plans mid-August challenge of Facebook data transfers
(IAPP, July 2020)
Technology, media and telecommunications services after ‘Schrems II’
(IAPP, July 2020)
What ‘Schrems II’ means for companies that rely on derogations
(IAPP, July 2020)
Using SCCs post-‘Schrems II’: Guidance from DPAs
(IAPP, July 2020)
LinkedIn Live: The ‘Schrems II’ Aftermath: A Deep Dive into SCCs
(IAPP, July 2020)
LinkedIn Live: ‘Schrems II’: The Practical Implications
(IAPP, July 2020)
LinkedIn Live: The CJEU Decision Unpacked
(IAPP, July 2020)
LinkedIn Live: ‘Schrems II’: The Immediate Aftermath
(Name, July 2020)
LinkedIn Live: The ‘Schrems II’ Decision: The Day After
(IAPP, July 2020)
CJEU ‘Schrems II’ Judgment: Action Steps for US Multinational Employers to Keep HR Data Transfers on Track
(Littler, July 2020)
Schrems, Ustaran react to CJEU’s ruling on Privacy Shield, SCCs
(IAPP, July 2020)
The show must go on
(IAPP, July 2020)
Infographic: The impact of the CJEU’s decision on ‘Schrems II’
(IAPP, July 2020)
What does ‘Schrems II’ mean for EU-UK data flows?
(IAPP, July 2020)
What ‘Schrems II’ means for controller-to-processor SCCs
(IAPP, July 2020)
Dixon, Serwin discuss ‘Schrems II,’ future of data transfers
(IAPP, July 2020)
The ‘Schrems II’ decision: EU-US data transfers in question
(IAPP, July 2020)
‘Schrems 2.0’: 5 business impacts from the advocate general’s opinion
(IAPP, January 2020)
The advocate general’s ‘Schrems II’ opinion: What it says and means
(IAPP, December 2019)
It’s Schrems, round two
(IAPP, February 2017)
The Privacy Shield: What U.S. multinational employers need to know to enjoy the benefits of the newest EU-U.S. data transfer mechanism
(IAPP, July 2016)
European Commission formally adopts Privacy Shield
(IAPP, July 2016)
EU Member States approve Privacy Shield
(IAPP, July 2016)
Model clauses in jeopardy with Irish DPA referral to CJEU
(IAPP, May 2016)
Commission, Commerce announce new EU-US data transfer agreement
(IAPP, February 2016)
Schrems: Stop Sending Data Abroad
(IAPP, December 2015)
LIBE Committee to Commission: Why Did Safe Harbor Last 15 Years?
(IAPP, October 2015)
Following CJEU Ruling, Where Does Schrems Case Go Now?
(IAPP, October 2015)
Safe Harbor “Invalid,” Rules ECJ
(IAPP, October 2015)
Schrems Reacts to Advocate General’s Opinion on Safe Harbor
(IAPP, September 2015)
Schrems v Data Protection Commissioner Just Got a Lot More Interesting
(IAPP, September 2015)
Austrian Court Dismisses Facebook Suit; Schrems “Will Go to a Higher Court”
(IAPP, July 2015)
Safe Harbor Under Fire: You May Want To Change Your Transfer Mechanism
(IAPP, May 2015)
Video: Max Schrems on Facebook and the ECJ at DPC
(IAPP, May 2015)
Facebook Facing Increased Scrutiny in EU; WP29 Now Involved
(IAPP, April 2015)
Commission Says It Cannot Guarantee EU Privacy in U.S. Data Transfers
(IAPP, March 2015)
ECJ Hears Safe Harbor Arguments
(IAPP, March 2015)
Safe Harbor’s Final Reckoning May Begin Next Month
(IAPP, February 2015)
Facebook Class-Action Scheduled; DPA Asks Social Network for Answers
(IAPP, January 2015)
Facebook Class-Action Continues To Grow
(IAPP, September 2014)
Court Rules Facebook Must Respond to Schrems Suit
(IAPP, August 2014)
Commercial Court Punts Facebook Class-Action to Regional Court
(IAPP, August 2014)
Schrems Launches Global Class-Action Against Facebook
(IAPP, August 2014)
Irish High Court Refers Facebook Case to ECJ
(IAPP, June 2014)
Austrian Students Launch Offensive Over Spying
(IAPP, July 2013)
Europe v. Facebook Plans Suit
(IAPP, December 2012)
Law Student’s Quest Against Facebook Continues
(IAPP, October 2012)
Student To Bring Facebook Concerns to EC
(IAPP, April 2012)
Networking Site Faces Suit from Student
(IAPP, February 2012)
Activist: Facebook Will Release Data
(IAPP, February 2012)
Facebook Execs, Activist Meeting Today
(IAPP, February 2012)
View More Resources

EU-US Privacy Shield

US-EU Trans-Atlantic Data Privacy Framework

This report on the EU-U.S. Trans-Atlantic Data Privacy Framework, published by the Congressional Research Service, outlines data transfer and surveillance issues, key points of the TADP framework and areas where Congressional action could impact the future data transfer landscape, including consideration of comprehensive federal privacy legislation. Read More

Privacy Shield Annual and Joint Reviews

When it launched the Privacy Shield in August 2016, the Commission committed to reviewing the Privacy Shield on an annual basis, to assess if it continues to ensure an adequate level of protection for personal data. Annual Reviews by European Commission First Review – Report, Press Release Second Review – Report, Press Release Third Review – Report, Press Release European Data Protection Board Joint Reviews First Joint Review Second Joint Review Third Joint Review ... Read More

LinkedIn Live: ‘What Do New EU Data Transfer Rules Mean for Privacy Shield?’

Published: June 2021 On June 4, the European Commission released new standard contractual clauses. On June 21, the European Data Protection Board published its final recommendations on supplementary measures for international data transfers. Both present a complex new set of requirements for companies transferring data to countries not deemed “adequate” by the EU and create sometimes insurmountable hurdles for those transfers. How do these new rules affect the Privacy Shield enhancement negotia... Read More

Hoff: EU, US 'not at the beginning' of Privacy Shield negotiations

As the one-year anniversary of the Court of Justice of the European Union's "Schrems II" decision approaches, the privacy industry has seen a wave of developments on international data transfers. The European Commission adopted new standard contractual clauses. The European Data Protection Board issued its recommendations on supplementary measures for data transfers and the commission adopted a pair of adequacy decisions for the U.K. All of these events took place within the last month, if you... Read More

Privacy Shield and the UK — FAQs
(Privacy Shield Framework, June 2021)
New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon
(IAPP, April 2021)
Why the EU, US need to solve the ‘urgent’ issue around a replacement Privacy Shield
(IAPP, April 2021)
Industry gauges future of Privacy Shield replacement
(IAPP, March 2021)
Biden appoints Christopher Hoff to oversee Privacy Shield talks
(IAPP, January 2021)
Senate hearing ponders US remedies for Privacy Shield invalidation
(IAPP, December 2020)
Will Privacy Shield’s demise usher in an era of transparency? Part 2
(IAPP, October 2020)
Israel’s Privacy Shield announcement: Tiptoeing between the EU and US
(IAPP, September 2020)
Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue?
(IAPP, September 2020)
Will Privacy Shield’s demise usher in transparency?
(IAPP, August 2020)
EU, US initiate talks on potential ‘enhanced’ Privacy Shield
(IAPP, August 2020)
The Privacy Advisor Podcast: So Privacy Shield is invalid; what to do next?
(IAPP, July 2020)
Schrems, Ustaran react to CJEU’s ruling on Privacy Shield, SCCs
(IAPP, July 2020)
The show must go on
(IAPP, July 2020)
CJEU invalidates EU-US Privacy Shield; SCCs remain valid
(IAPP, July 2020)
What Privacy Shield organizations should do in the wake of ‘Schrems II’
(IAPP, July 2020)
The ‘Schrems II’ decision: EU-US data transfers in question
(IAPP, July 2020)
Inside the Privacy Shield annual review: Increasing common ground
(IAPP, September 2019)
Privacy Shield’s second annual review: One privacy pro’s first-hand experience
(IAPP, November 2018)
A Side-By-Side Comparison of “Privacy Shield” and the “Safe Harbor”
(Bryan Cave, May 2018)
Privacy Shield Side-by-Side Comparisons
(Bryan Cave, May 2018)
Privacy Shield Notice Requirements
(U.S. Department of Commerce, January 2018)
What Really Sank Safe Harbor?
(IAPP, October 2015)
View More Resources

APEC Cross-Border Privacy Rules

Google commits to Global CBPR system

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, wrote a blog post explaining the company's plans to abide by the Global Cross-Border Privacy Rules system. Enright touted the CBPR system as "an important step toward enabling continued, trusted data flows between participating jurisdictions." He added that Google will partake in the Global CBPR Forum to discuss "practical realities of services facing fragmented privacy regulations" while imploring further consultation on "how to make ... Read More

In CBPR Forum, US pushes for more data interoperability

Politico reports the U.S. is pushing forward with various countries on the proposal for Global Cross-Border Privacy Rules despite potential friction with the EU General Data Protection Regulation. A recent meeting between 20 nations in Hawaii sought to finalize details of a global CBPR framework, which existing participants hope will include Brazil and the U.K. by year's end as well as other nations, like Bermuda and Chile, by 2023. However, unnamed EU officials indicated the CBPR framework woul... Read More

A globalized CBPR framework: Peering into the future of data transfers

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

BBB National Programs first APEC-approved US nonprofit Accountability Agent

The Asia-Pacific Economic Cooperation approved the first U.S.-based nonprofit Accountability Agent in the APEC privacy certification systems. Following its approval by a joint oversight board and the 21 APEC economies, BBB National Programs announced it becomes one of seven worldwide recognized Accountability Agents in the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems. The nonprofit will work one-on-one with companies of all sizes doing business in the 21 econom... Read More

APEC announces new US Accountability Agent for CBPR certifications

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

Binding Corporate Rules

Lithuanian DPA releases opinion on BCRs

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the EU General Data Protection Regulation. The DPA said companies cannot solely rely on the European Commission’s decision on an adequate level of protection as the main basis for data transfers. The document details who can transfer data to a third country on th... Read More

BCRs as a robust alternative to Privacy Shield and SCCs

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

Argentine DPA approves guidelines for Binding Corporate Rules

Pursuant to Resolution No. 159/2018 published Dec. 7, 2018, in the Official Gazette, the Agency of Access to Public Information (Agencia de Acceso a la Información Pública, in Spanish) approved a set of guidelines for binding corporate rules as a mechanism available to multinational companies to legitimize international data transfers within their group. BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companie... Read More

Regional Resources

Click below to navigate to resources by region.

Argentina, Brazil, Canada, China, France, Germany, Hong Kong, India, Israel, Ireland, Italy, Japan, New Zealand, South Korea, United Kingdom, United States, Uruguay
















View More Resources