We are off to the adequacy races, again. The first horse to bolt is very often the first to reach the first fence. While EU litigation has many fences, there's only ever one first fence: admissibility. Broadly speaking, there are two main routes by which an adequacy decision (as with other EU regulatory instruments) can be struck down. A ruling by the EU General Court, having adjudicated on a direct action for annulment (under Article 263 of the TFEU). A ruling by the Court of Justice of th... Read More

The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge. "Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or a... Read More

The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.  As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

As hard as it is to believe, it has almost been one year since the Court of Justice of the European Union made its decision in the "Schrems II" case. The CJEU struck down the EU-U.S. Privacy Shield agreement while upholding standard contractual clauses, albeit with caveats. Since then, privacy professionals have been waiting for conclusive answers to address trans-Atlantic data flows, and there has been some news on that front over the past couple of months. The European Commission unveiled its... Read More

Privacy professionals continue to wait for news on a replacement for the EU-U.S. Privacy Shield after it was struck down by the Court of Justice of the European Union in its “Schrems II” ruling last summer. Recent reports suggest it may not be anytime soon. European Union Justice Commissioner Didier Reynders said a Privacy Shield replacement is likely years away, citing the challenges in finding a data transfer deal that would protect European citizens’ data from U.S. intelligence agencies. Th... Read More

This is the second installment of a two-part series on Privacy Shield's invalidation. In part one, Schwarz discussed concerns about national security agency access to records and its role in Privacy Shield's demise. Here, Schwarz explores options for transparency as to redress, as well as ways companies can use transparency to bolster confidence and encourage continued data sharing through mechanisms such as standard contractual clauses. As noted in part one of this series, in July, the Court o... Read More

Israel’s Privacy Protection Authority announced Sept. 29 that following the "Schrems II" ruling, data transfers from Israel to the United States can no longer rely on the EU-U.S. Privacy Shield. The decision demonstrates the tightrope act third countries find themselves in as they try to gingerly navigate the treacherous EU-U.S. privacy terrain without disrupting economic or political ties. The U.S. and EU are Israel’s largest trade partners. Moreover, Israel is one of the few countries to have... Read More

The Wall Street Journal reported Sept. 9 that Ireland's Data Protection Commissioner issued a preliminary order that Facebook must stop transferring user data to the U.S. The order, which was reported based on anonymous sources "according to people familiar with the matter," follows the Court of Justice of the European Union's ruling on the Schrems v. DPC case in July, in which the court struck down the Privacy Shield agreement between the EU and U.S. citing problems with U.S. surveillance polic... Read More

The U.S. Department of Commerce and the European Commission announced Monday that they have initiated discussions "to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgement of the Court of Justice of the European Union in the 'Schrems II' case." Last month's decision invalidated Privacy Shield and placed additional due diligence requirements on companies transferring European citizens' data to non-EU countries through standard contractual cla... Read More

Privacy professionals are now operating in a different world following the Court of Justice of the European Union's ruling in the "Schrems II" case.  The EU-U.S. Privacy Shield agreement is now invalid. The CJEU upheld standard contractual clauses; however, third countries must have the proper protections in place when EU data is transferred.  The decision has massive ramifications for international data transfers. The privacy industry now has to both analyze just what exactly the CJEU decided... Read More

It’s already a cliché to say that there’s never a dull moment in privacy. Here comes the Equifax data breach followed in quick succession by Marriott and Capital One; there goes the Cambridge Analytica scandal with the U.S. Federal Trade Commission slapping Facebook a $5 billion fine; make way for Alastair Mactaggart with a new ballot initiative to supersede the California Consumer Privacy Act; now enter "Schrems II" with the invalidation of the EU-U.S. Privacy Shield. Lawyers are running around... Read More

In a major development for international data transfers, the European Union's highest court declared Thursday that the EU-U.S. Privacy Shield arrangement — which includes thousands of participating companies — is invalid. The Court of Justice of the European Union, however, did uphold the validity of standard contractual clauses, but there must be protections in place in the third country to which EU data is transferred — specifically with regard to access by public authorities and judicial red... Read More

The Court of Justice of the European Union issued its decision in "Schrems II" Thursday, a landmark decision that invalidates the EU-U.S. Privacy Shield arrangement. Until July 16, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy Sh... Read More

On July 16, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. The decision also cast a long shadow over other personal data transfers from Europe to the U.S., given the C... Read More

The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More

The Ibero-American Data Protection Network, the RIPD, released guidance documents for implementing standard contractual clauses for international data transfers and transfer agreements. The guidelines aim to outline how and when SCCs should be used, as well as why the clauses are necessary and appropriate. Additionally, the guidelines explain principles for responsibility when transferring data to a third country without adequate data protection measures.Full Story... Read More

On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”Full Story... Read More

The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers). This announcement is a change in course for the EC. W... Read More

The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for p... Read More

Switzerland's Federal Data Protection and Information Commissioner announced it will recognize the European Commission's updated standard contractual clauses as a data transfer mechanism. FDPIC noted this approval is only granted if "necessary adaptations and amendments are made" to level with Swiss law. Editor's note: The IAPP's Omer Tene broke down aspects of the EU's new SCCs with Bird & Bird's Ruth Boardman in June.Full Story... Read More

The release of new standard contractual clauses for the facilitation of data transfers was not a surprise in EU data protection circles, but it certainly wasn't something professionals could necessarily brace for. Since the European Commission's announcement June 4, professionals have tried to digest updated language, requirements and conditions for all parties entering into a data transfer agreement. On top of that effort to comprehend is the task of sorting through the various timelines in pl... Read More

The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the Official Journal. The new SCCs are a mechanism companies can use to address the restriction under Article 44 in the EU General Data Protection Regulation on the cross-border transfer of personal data to third countries. Given the timing requirements in the commission's decision, the U.S. and other service providers located in third countries should expe... Read More

And so, at last, they’re here. Met with a level of anticipation — and, it must be said, apprehension — equal only to the announcement of a new Star Wars film, the new European Union standard contractual clauses for “the transfer of personal data to third countries” (that’s international transfers, to you and me) were adopted by the European Commission June 4, 2021. For those privacy professionals who are slightly longer in the tooth, this won’t have been the first time they’ll have seen a “new”... Read More

As hard as it is to believe, it has almost been one year since the Court of Justice of the European Union made its decision in the "Schrems II" case. The CJEU struck down the EU-U.S. Privacy Shield agreement while upholding standard contractual clauses, albeit with caveats. Since then, privacy professionals have been waiting for conclusive answers to address trans-Atlantic data flows, and there has been some news on that front over the past couple of months. The European Commission unveiled its... Read More

Just one day following the release of the European Data Protection Board’s post-"Schrems II" guidance for international transfers of EU personal data, the European Commission issued two sets of draft standard contractual clauses that merit close attention by Canadian businesses that process EU personal data. The first draft standard was for SCCs for international transfers of EU personal data, which will replace the SCCs based on Directive 95/46 with an updated version that incorporates the "Sch... Read More

On Nov. 12, 2020, the European Commission published a draft implementing decision on new standard contractual clauses for the transfer of personal data to third countries. The clauses try to reflect what is required under the "Schrems II" judgment and also to help those transferring data incorporate safeguards for data transfers that go above and beyond the current SCCs. They also address known deficiencies in the current SCCs — catering for data transfers by EU processors to sub-processors and ... Read More

On Nov. 12, 2020, the European Commission charted a new path for global data protection. With privacy professionals still reeling after dissecting the detailed recommendations on supplementary measures put forward by the European Data Protection Board the day prior, it is possible some consequential elements of the European Commission’s draft implementing decision on standard contractual clauses for the transfer of personal data to third countries slipped past unnoticed. The commission’s draft ... Read More

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs in early September, Commissioner for Justice Didier Reynders expressed hope that the long-awaited revision of standard contractual clauses would be finalized by the end of this year.  This statement undoubtedly caught the attention of the privacy community. Many privacy professionals are under intense pressure from their organizations to continue with the transfer of EU personal data to countries ou... Read More

By invalidating the EU-U.S. Privacy Shield but not rejecting wholesale the use of standard contractual clauses to transfer data to the U.S., the Court of Justice of the European Union in "Schrems II" left open the possibility that such transfers could continue. However, it emphasized that exporters and importers may need to adopt additional safeguards when using SCCs to ensure an adequate level of protection for personal data transferred to the U.S. Until now, commentators have seemed unsure as... Read More

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

We are off to the adequacy races, again. The first horse to bolt is very often the first to reach the first fence. While EU litigation has many fences, there's only ever one first fence: admissibility. Broadly speaking, there are two main routes by which an adequacy decision (as with other EU regulatory instruments) can be struck down. A ruling by the EU General Court, having adjudicated on a direct action for annulment (under Article 263 of the TFEU). A ruling by the Court of Justice of th... Read More

With the adoption of the EU-U.S. Data Privacy Framework, European and U.S. organizations and privacy professionals are facing a new framework for data transfers across the Atlantic. Focus is quickly turning to implementation and what's next. "The reason this is all so important is that data flows and the transfers of personal data are a key enabler for basically all elements of the transatlantic economic relationship. It's something so fundamental that it really underpins all elements of commer... Read More

The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge. "Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or a... Read More

On 8 June, U.K. Prime Minister Rishi Sunak and U.S. President Joe Biden announced the Atlantic Declaration: A Framework for a Twenty-First Century U.S.-UK Economic Partnership. It is the latest, most high level (it doesn’t get higher) and most conclusive development in the development of a comprehensive U.S.-U.K. partnership on data and artificial intelligence. Data Sharing data across borders is a fact of life for all organizations doing businesses or operating internationally. Yet, doing so ... Read More

Ireland's Data Protection Commission handed down a long-awaited enforcement action against Meta Platforms Ireland early Monday morning with a record fine of 1.2 billion euros. The fine, which is the highest to date under the nearly five-year-old EU General Data Protection Regulation, was accompanied by an order requiring Meta Ireland-owned Facebook to suspend future transfers of personal data to the U.S. within five months of the DPC's decision and to bring its processing operations into compli... Read More

Nonpersonal data is at the forefront of modern data analytics. In general, anonymized or deidentified personal data is not in the scope of privacy and data protection regulations, offering freedom from the restrictions of privacy compliance while allowing for greater data utilization. However, despite the growing demand for techniques to anonymize or deidentify personal data, this issue remains a topic of intense discussion at the intersection of privacy law and engineering. One part of the pro... Read More

Global data flows have been a source of geopolitical consternation among democratic allies around the world for the last decade, since former U.S. National Security Agency contractor Edward Snowden exposed the agency's global system of bulk electronic surveillance. At the heart of the matter are national security and law enforcement demands to access private sector data within the U.S., EU and other democratic nations despite the lack of a transnational baseline legal standard to do so. At the... Read More

The European Data Protection Board published a report from its taskforce of European Economic Area data protection authorities on 101 complaints filed by NOYB regarding legal data transfers following the Court of Justice of the European Union's "Schrems II" judgment. The report shows a common position among DPAs on EU-U.S. transfers using Google Analytics and Facebook Business Tools and their compliance with requirements under Chapter V of the EU General Data Protection Regulation. Positions tak... Read More

International data transfers continue to be a top compliance and legal issue for both European and global organizations, requiring continuous reevaluation and increasing resources. In its recent guidance from December 2022, the European Data Protection Board provided draft guidance with updated interpretations and requirements regarding the use of the binding corporate rules transfer mechanism. In doing so, the EDPB missed an opportunity to address BCRs in a systematic, strategic and forward-th... Read More

The European Data Protection Board released its nonbinding opinion on the draft adequacy decision based on the EU-U.S. Data Privacy Framework, welcoming what it called “substantial improvements” while expressing concern and requesting clarification on several points. In a press release, the EDPB applauded requirements of necessity and proportionality for U.S. intelligence gathering of data, as well as a new redress mechanism for EU data subjects. However, the EDPB has concerns relating to "cer... Read More

The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More

The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More

The next domino in the finalization of the proposed EU-U.S. Data Privacy Framework has fallen. The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows. The U.S. executive order committing to an overhaul of foreign intelligence agencies' access to personal data and creation of a new redress system for EU citizens spurred the preliminary adequacy ackno... Read More

While a final resolution is near, there's been more wait-and-see periods than action during negotiations for the EU-U.S. Data Privacy Framework. First it was months of waiting in between the provisional EU-U.S. agreement on data transfers and the executive order securing U.S. national security commitments. Now concerned parties are set to stand by another six months at least while the European Commission works through a potential adequacy decision. Privacy professionals stood mostly idle throu... Read More

Following the well-known “Schrems II” case in the Court of Justice of the European Union, the policy objective behind recent regulatory interpretations of the EU General Data Protection Regulation transfers restriction is to prevent third-country authorities’ “excessive” access to EU residents’ data. But in this context, what matters more than physical data location is control of logical access to intelligible data. Given the existence of networking and the internet, a person can have intelligi... Read More

Well-known and influential names entrenched in the ongoing discussions around EU-U.S. data flows made their presence felt in back-to-back breakout sessions to cap off the final day of the IAPP Europe Data Protection Congress in Brussels, Belgium. EU and U.S. government officials took the stage focused on further touting and cementing the pending EU-U.S. Data Privacy Framework's workability. NOYB Honorary Chairman Max Schrems threw cold water on those notions, all but announcing he will attempt ... Read More

International data transfer regulation is rooted in heavy manual processes and paperwork. It impacts business decisions and leaves room for risk. Legal and regulatory teams have to jump through a host of complexities — requiring the assessment of specific circumstances of data transfers like relevant country laws and practices and any additional contractual, technical or organizational safeguards. As tedious as international data transfers may be, they are an essential pillar for global economi... Read More

Now that U.S. President Joe Biden has issued an executive order to implement the EU-U.S. Data Privacy Framework, privacy professionals are preparing to resume transferring personal data across the Atlantic without being bound by alternative means, like standard contractual clauses, for the first time in more than two years. During a session at the IAPP Privacy. Security. Risk. 2022 conference in Austin, Texas, IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, sat down with U.S. Department... Read More

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.  As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

The wait for a finalized agreement to solidify EU-U.S. data flows is winding down. The latest step forward in the process came with U.S. President Joe Biden's long-awaited executive order mandating new legal safeguards over U.S. national security agencies' access and use of EU and U.S. personal data. The order comes more than six months after Biden and European Commission President Ursula von der Leyen announced an agreement in principle on the EU-U.S. Data Privacy Framework. Talks for that agr... Read More

The newly released White House executive order implementing the long-awaited EU-U.S. Data Privacy Framework clears a path for trans-Atlantic business and diplomacy alike. Since the Court of Justice of the EU’s “Schrems II” decision invalidated Privacy Shield more than two years ago, personal data flows from the EU to the U.S. have been legally questionable. Some might argue, data transfers were effectively banned. Enforcement actions have only trickled out, but their precedential and deterrent ... Read More

This week, U.S. President Joe Biden is expected to sign an executive order cementing the legal basis for the Trans-Atlantic Data Privacy Framework, aka “Privacy Shield 2.0.” The executive order will likely create a redress mechanism, which will allow European individuals to challenge — or at least gain a modicum of insight into — surveillance practices by U.S. national security agencies. On a smaller scale but in the same vein, the government of Israel issued a draft decision Monday, announcing... Read More

The U.S. Department of Justice announced the Data Access Agreement concerning criminal data sharing between the U.K. and the U.S. entered into force Oct. 3. The two countries will share data under "qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures." The DOJ added that the agreement brings "more timely and efficient access to electronic data required in fast-moving investigations through the use of ... Read More

China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law. One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and... Read More

On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL. Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data t... Read More

The European Data Protection Board published an opinion on data transfers between EU member states and Russia. The board stated Russia is "no longer a contracting party" to EU legal frameworks and protocols following sanctions related to its war in Ukraine. The lack of EU recognition or an adequacy decision means transfers involving Russian companies can only occur "using one of the other transfer instruments provided for in Chapter V (of the EU General Data Protection Regulation)."Full Story... Read More

On Thursday, Ireland's Data Protection Commission sent a draft decision to its EU data protection authority counterparts in which it proposes to halt Facebook parent company Meta from transferring personal data from the EU to the U.S. If approved by the other DPAs, Meta-owned services Facebook and Instagram may be shuttered in the EU.  In July 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield Framework and cast a shadow over the use of standard contractual ... Read More

France's data protection authority, the Commission nationale de l'informatique et des libertés, released a question-and-answer document related to an unidentified number of compliance notices issued to companies over data transfers carried out through Google Analytics. The Q&A explains aspects of the notices, including the 30-day compliance period, and the CNIL's stance on lawful and unlawful uses of Google Analytics. Editor's note: The IAPP's Jennifer Bryant wrote on the initial CNIL decisi... Read More

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”Full Story... Read More

Transborder data flows are among the most significant and complex issues in the privacy profession at the moment. As the U.S. and EU work to finalize the highly anticipated Trans-Atlantic Data Privacy Framework, an announcement involving the other side of the North American continent aims to help mitigate some global complexity and promote data flows with privacy protections.  Calling it "a historic moment for international cooperation in the digital sector," U.S. Department of Commerce Secreta... Read More

The state of EU-U.S. data flows has unquestionably been the most talked about issue among data privacy professionals since the invalidation of EU-U.S. Privacy Shield. Despite excitement around the recent agreement in principle to stabilize data flows, remarks from involved parties at the IAPP Global Privacy Summit 2022 indicate the finish line is in sight but not quite on the immediate horizon. The political agreement announced by EU-U.S. officials March 25 for the Trans-Atlantic Data Privacy F... Read More

U.S. President Joe Biden and European Commission President Ursula von der Leyen announced Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement. Importantly, the agreement is in principle only at this point, and details about the deal are not yet known.  In a press conference from Brussels, Biden said, "Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, prom... Read More

China’s Personal Information Protection Law, which is still in the process of being fleshed out through implementing regulations and official guidance, provides a regulatory framework that governs the cross-border transfer of personal information. This article focuses on PIPL and the transfer mechanisms it proposes to safeguard personal information transferred out of China. Note that the PIPL is only one piece in the patchwork of Chinese legislation that addresses cross-border data transfers, a... Read More

The EU General Data Protection Regulation aims to empower individuals and give them "control" over their personal data. To do this, data subjects have been granted various rights, including the right to data portability, which did not exist under the Data Protection Directive. Contrary to the well-known access right, data portability allows data subjects to obtain and reuse their personal data, at least in theory. In January 2022, we asked data protection expert lawyers in our Lex Mundi Network... Read More

Among the many topics top of mind for privacy pros at the IAPP Data Protection Intensive: UK in London is proposed reforms to the UK General Data Protection Regulation and the future of transborder data flows. This comes as the U.K.'s post-Brexit international data transfers agreement officially went into force Monday and negotiations around the current trans-Atlantic impasse continue behind the scenes.  A day after U.K. Information Commissioner John Edwards made his first major public speech s... Read More

Big data analytics in the financial sector around the world has become increasingly crucial to improve business efficiency, reduce operational costs and address long-standing business challenges. The term big data was coined in the early 1990s and, as the name suggests, it is “big.” Not just in size, but also in terms of speed of generation and diversity, which is why traditional computer algorithms are often not able to process big data as efficiently as conventional data. For example, a mass... Read More

The recent public statements from EU data protection authorities, including local regulators, and the European Data Protection Board, notably at the IAPP Europe Data Protection Congress in November 2021, have raised some legitimate concerns among the privacy community. Some are academic, others practical. Most are related to international transfers of personal data under the EU General Data Protection Regulation.  From clarity to perplexity A first concern stems from the EDPB's guidelines date... Read More

In one of many quotable Shakespeare-isms, the famous bard wrote in “The Tempest,” “what’s past is prologue.” In the instance of data transfers, national borders and digital trade, the “prologue” stretches back to the early days of the Y2K era with a landmark case against Yahoo! — the big technology player of the day. A French court blocked Yahoo! from selling Nazi memorabilia to French users on its auction sites. Yahoo!’s lawyers argued this would be technically impossible, as the internet “has... Read More

With the recent adoption of guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation relating to international data transfers, the European Data Protection Board sought to answer a question that has been debated going back five years to the GDPR's original drafting. But as is usually the case when addressing the complex topic of transfers, answering one question has spawned so many others. EDPB Secretariat Head Isabelle Vereecken said during a Lin... Read More

On Nov. 18, the European Data Protection Board adopted new guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation. The guidelines answer the threshold question that underpins GDPR’s data transfer regime — what is a transfer? In short, the EDPB explains, a transfer occurs when personal data moves from an organization subject to the GDPR to a separate organization outside of EU territory. Simple, isn’t it? The answer seems more than obvious, but ... Read More

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

On Nov. 18, the European Data Protection Board adopted draft guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the EU General Data Protection Regulation. The draft guidelines are open to public consultation until the end of January. GDPR regulates transfers of data: But what is a transfer? Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizatio... Read More

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

During the inaugural meeting of the U.S.-EU Trade and Technology Council Wednesday, companies and trade groups urged officials to reach a deal on trans-Atlantic data flows, saying an agreement is key to the economy and digital innovation, The Wall Street Journal reports. “Trans-Atlantic data flows are enablers for everything we want to see done in technology,” Information Technology Industry Council Executive Vice President of Policy Rob Strayer said.Full Story... Read More

On Aug. 26, the United Kingdom announced big new plans for international data transfers. As one of the world’s largest economies, a long-time leader in multilateral privacy fora, and a frequent interpreter between European and U.S. approaches to data protection, the U.K. is well-positioned to innovate in this endlessly challenging and integral policy arena. Last week, I had the opportunity to discuss the U.K.’s plans with Joe Jones, Deputy Director of International Data Transfers at the U.K. De... Read More

On Aug. 11, the U.K. Information Commissioner's Office launched a consultation on data transfers. The consultation is relevant to anyone who transfers personal data from the U.K. or who provides services to U.K. organizations. The consultation asks whether it would be helpful for the ICO to approve an addendum, allowing the EU standard contractual clauses to be used for transfers of personal data from the U.K. Even if organizations have no comments on the ICO's other points, this point alone is ... Read More

The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for p... Read More

Data protection may not be at the forefront of global policy discussions, but it's certainly gaining importance and notoriety. So much so it's now being used as a potential bargaining chip in foreign relations and politics. Two EU officials told Politico the planned EU-U.S. Trade and Technology Council meeting Sept. 29 in Pittsburgh, Pennsylvania, is now in jeopardy with the EU threatening to cancel over issues between the U.S. and France related to a U.S.-U.K. submarine contract with Australia... Read More

In a piece for Nature Medicine, science and medical researchers outlined the need to ease data transfer barriers on health data sharing outside the EU for research purposes. The group argued COVID-19 has shown "international collaborations and global data sharing are essential for health research," but current restrictions on data sharing for non-pandemic-related data may bring "damaging effects." They noted the high threshold for anonymized data under the EU General Data Protection Regulation a... Read More

A whole year has passed since the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield and effectively shook the privacy space. Privacy professionals are still considering whether true progress been made toward a solution to stabilize and safeguard international data transfers during the last 365 days. The answer varies depending on who's being asked. IAPP Research Director Caitlin Fennessy, CIPP/US, Hogan Lovells Partner Eduardo Ustaran, CIPP/E, and NOYB Founder Max Sc... Read More

The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the official journal. The new SCCs arrive at a critical juncture in the regulation of cross-border data transfers, as there is significant uncertainty in the market around how to address cross-border data transfer restrictions. What is the legal context for the introduction of the new SCCs?  The new SCCs are a mechanism companies can use to address the r... Read More

Almost five years to the day from when the Brexit vote took place, the questions around U.K. adequacy have been laid to rest, at least for now. The European Commission announced it officially adopted a pair of adequacy decisions for the U.K., one for the EU General Data Protection Regulation and another for the Law Enforcement Directive. The announcement comes just days before the "bridging mechanism" for data transfers between the EU and U.K. was set to expire. "The U.K. has left the EU but t... Read More

The EU finally dropped the other shoe this week in regards to its international data transfer conundrum. On June 21, the European Data Protection Board followed up the European Commission's introduction of revamped standard contractual clauses for personal data transfers with its final recommendations on supplementary measures for transfers. The recommendations themselves feature a six-step process organizations must take to map data transfers and the mechanisms used for them. The process invol... Read More

On June 21, the European Data Protection Board issued its highly anticipated final recommendations on supplementary measures for data transfers. The recommendations outline a process organizations can follow to transfer personal data outside the European Economic Area to ensure compliance with the "Schrems II" judgment. The initial draft of the recommendations, released in November 2020, took the data protection world by surprise by preventing organizations from considering the “subjective” lik... Read More

Until now, China’s data localization and cross-border data transfer requirements were not laid out in one piece of legislation but could be found scattered in the Cybersecurity Law and its draft implementing regulations, as well as in various sectoral regulations, which contain specific requirements applicable to data processed by entities in specific sectors.    With the June 10 enactment of the Data Security Law that will take effect Sept. 1 and the upcoming Personal Information Protection La... Read More

U.S. President Joe Biden and European Commission President Ursula von der Leyen have put pen to paper on the establishment of a new EU-U.S. Trade and Technology Council, pledging to foster greater synergies in areas including artificial intelligence, green tech, and security. But on the key issue of establishing a new trans-Atlantic data transfer accord, talks this week did not break the deadlock. Ahead of the EU-U.S. summit in Brussels Tuesday, rumors had surfaced suggesting the U.S. administr... Read More

On Nov. 10, 2020, the European Data Protection Board issued a draft version of a recommendation on measures to supplement data transfer rules to ensure compliance with the EU General Data Protection Regulation. The measures aren't binding because the document is not final yet. The EDPB made the recommendation after the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield July 16, 2020, and found that organizations relying on the standard contractual clauses may need to i... Read More

The Irish High Court's May 14 judgment concerning Facebook's EU-U.S. data transfers sheds light on the Irish Data Protection Commission's and the court's initial views on issues with significant global implications. In the judgment, Justice David Barniville dismissed Facebook Ireland's arguments that the process followed by Ireland's Data Protection Commissioner in its own-volition inquiry into Facebook Ireland's EU-U.S. data transfers was flawed. This allows the inquiry to proceed.  As a proc... Read More

We are all hopeful the U.S. government can reach an agreement with the European Commission and other EU authorities on a so-called "Privacy Shield 2.0" in the near term. Such an updated arrangement is essential to provide certainty to trans-Atlantic business and assure a high level of protection for personal data transfers.   But what's next? Over recent years, we have witnessed the Court of Justice of the European Union invalidate one trans-Atlantic commercial data transfer vehicle after ano... Read More

The Biden administration has selected a privacy veteran for the key post overseeing negotiations for a replacement Privacy Shield. Christopher Hoff, CIPP/E, CIPP/US, CIPM, will serve as deputy assistant secretary for services at the U.S. Department of Commerce, beginning his tenure on inauguration day. Hoff will now become the European Commission’s primary interlocutor in discussions on a framework to protect commercial transfers of personal information across the Atlantic following the Court of... Read More

I’ve long questioned the extraterritorial scope of the EU General Data Protection Regulation and if non-EU based organizations that engage solely in business-to-business activities fall under the GDPR. The GDPR is at best ambiguous on this issue, and the guidance published to date from the regulators is unhelpful. This issue has been brought into focus because of Brexit and the numerous inquiries I’ve received about whether U.K. B2B companies (with no physical presence in the EU) need to appoi... Read More

Civil litigants in the United States have broad rights to information — from each other and from others not involved in the litigation, whether or not they are within the U.S. Other countries often have more limited “discovery” rights and often have confidentiality or privacy laws that restrict sharing information or transferring that information across borders, like the EU General Data Protection Regulation. This often generates conflicts for those who are required by U.S. law to deliver evide... Read More

There hasn't been much movement on the future of EU-U.S. data transfers nearly two months after the Court of Justice of the European Union rendered its decision to invalidate the EU-U.S. Privacy Shield program. But that may change following a meeting of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs Thursday in Brussels. The LIBE Committee welcomed European Commissioner for Justice Didier Reynders, European Data Protection Board Chair Andrea Jelinek and NOYB Fo... Read More

On July 16, 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield framework, sparking debates and discussions among privacy professionals. Perhaps more importantly, the decision gave some interpretation of the standard contractual clauses mechanism and how it should work in the current approach in the EU to personal data transfers outside the EU. But will this decision lead to a crisis in cross-border data flows? Data protection frameworks for transfers outside... Read More

While the EU General Data Protection Regulation has proven to be a valuable framework in the two years since it came into force, it still requires some work regarding proper implementation by EU member states and a potential modernization of cross-border data transfers. That was some of the message put forth by the European Commission in its highly anticipated, two-year GDPR review released Wednesday. In a press conference on the review, European Commission Vice President for Values and Transpa... Read More

Before the EU General Data Protection Regulation was effective, we heard tales about how the GDPR covered every business and how even those not within the EU could be subject to fines up to 4% of annual turnover. Now, we are told the same about the California Consumer Privacy Act. These claims are too broad. This article addresses international law issues related to them. Let’s explore them using these hypotheticals: Joe runs a website out of his home in California, but the website targets on... Read More

With cloud computing, law enforcement investigations increasingly seek evidence that is held across borders, in a different country. As we describe in a separate IAPP post, this globalization of criminal evidence is prompting major legislative change and proposals. In 2018 alone, the United States passed the Clarifying Lawful Overseas Use of Data Act to address cross-border issues, and the European Union has proposed its new eEvidence regulation and directive.  To date, there has not been one f... Read More

Organizations are subject to different regulations to protect personal data that they communicate to overseas recipients for various reasons, including the development of business operations, business relationships or the availability of service providers in third countries. With the EU General Data Protection Regulation, organizations can make international personal data transfer decisions, in the absence of an adequate level decision pursuant to Article 45, using binding corporate rules, stan... Read More

The European Union’s new General Data Protection Regulation will go into force May 25, after six years of preparation. It replaces the Data Protection Directive 95/46/ EC and was designed to harmonize data privacy laws across Europe, protecting and empowering all EU citizens.  The rules will apply to all companies that collect the personal information of individuals in the EU, whether the business is based in the European Union or not, and the fines for noncompliance will be extremely onerous. ... Read More

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More