International Data Transfers

Image

International Data Transfers Topic Page

Navigate by Topic

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.

Featured Resources

VIDEO

UK-US Data Bridge: What it means, how to implement and what is next

In this LinkedIn Live, we hear from senior U.K. and U.S. officials on what the UK-US Data Bridge means and what is next.
Read More

CHART

Implementing Transatlantic Transfers

This chart outlines key changes and requirements for U.S., EU, UK and Swiss organizations implementing transatlantic transfers.
Read More

GUIDANCE

EU-US Data Privacy Framework

This page will stay updated with the latest resources covering the EU-U.S. Data Privacy Framework.
Read More

GUIDANCE

Global Cross-Border Privacy Rules

This page will stay updated with the latest guidance documents and resources covering global cross-border privacy rules.
Read More

INFOGRAPHIC

Global data transfer contracts

This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.
Read More

INFOGRAPHIC

Global adequacy capabilities

This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards.
Read More


EU-US Data Transfers

Functions of EU-US Data Privacy Framework take shape

The proposed Artificial Intelligence Act and a potential advertising technology shakeup courtesy of Meta has taken the EU by storm in recent months. It's a notable shift in the spotlight from the EU-U.S. Data Privacy Framework, which is quietly coming online in the face of ongoing legal questions. Representatives involved in the operationalization of the DPF since its adoption in July spoke glowingly at the IAPP European Data Protection Congress in Brussels about the strides being made to help ... Read More

Why should my company join the EU-US Data Privacy Framework?

The EU-U.S. Data Privacy Framework is now fully effective. U.S. companies that participate in the DPF are deemed to provide an adequate level of protection for personal data transfers received from the EU within the meaning of the EU General Data Protection Regulation. Some companies may be asking why this matters. Why should my company join DPF?    There is no one-size-fits-all answer to this important question. Companies differ with respect to business operations, risk tolerance and existing... Read More

UK-US Data Bridge becomes law, takes effect 12 Oct.

The distance between London and Washington is 3,674 miles. Despite the distance, it is, and has long-been, a well-traveled journey. In a former role, it is a journey I made on a number of occasions in pursuit of today's news. The safe passage of data between the age-old friends and signatories of the Atlantic Declaration has been subject to some turbulence over recent years. "Schrems I" in October 2015 and "Schrems II" in July 2020 were paradigm-shifting moments for the stability of trans-Atlan... Read More

Implementing Transatlantic Transfers

This chart outlines the key changes and requirements for U.S. organizations participating in the Data Privacy Framework, whether they are transitioning from the Privacy Shield or newly self-certifying, and for EU, UK, and Swiss organizations transferring data to U.S. organizations, including to U.S. organizations not certified to the Data Privacy Framework. Read More

EU-US data adequacy litigation begins

We are off to the adequacy races, again. The first horse to bolt is very often the first to reach the first fence. While EU litigation has many fences, there's only ever one first fence: admissibility. Broadly speaking, there are two main routes by which an adequacy decision (as with other EU regulatory instruments) can be struck down. A ruling by the EU General Court, having adjudicated on a direct action for annulment (under Article 263 of the TFEU). A ruling by the Court of Justice of th... Read More

The EU-US Data Privacy Framework in practice

On 10 July, the European Commission deemed the EU-U.S. Data Privacy Framework adequate, providing enhanced protections to EU individuals as well as much-needed assurance for EU and U.S. businesses that personal data can again flow across the Atlantic in compliance with the EU General Data Protection Regulation. Read More

European Commission adopts EU-US adequacy decision

The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge. "Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or a... Read More

EU-U.S. Data Privacy Framework: New Independent, Binding Redress Mechanism

Original broadcast date: 27 March 2023 In this web conference, you will learn directly from the source how the redress process functions from beginning to end. In this session, the panelists aim to address key questions such as how the redress mechanism will work overall, what the Attorney General designation of a country is, what is involved at the ODNI CLPO stage of review, how DPRC serves its function as the second level of redress and what steps the CLPO or DPRC can take to remedy a covered violation of law. Read More

MEPs urge European Commission to reject EU-US adequacy

The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More

The EU-US Data Privacy Framework and next steps for data transfers

Original broadcast date: Oct. 7, 2022 In this LinkedIn Live event, IAPP's Caitlin Fennessy, CIPP/US, Alton & Bird's Peter Swire, CIPP/US, American University Washington College of Law's Alex Joel, CIPP/G, CIPP/US, and Future of Privacy Forum's Gabriela Zanfir-Fortuna discuss U.S. President Joe Biden's executive order implementing the EU-U.S. Data Privacy Framework. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

The redress mechanism in the Privacy Shield successor: On the independence and effective powers of the DPRC

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.  As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

Privacy Shield and the UK — FAQs

This guidance page, published by Privacy Shield Framework, provides information through a list of frequently asked questions regarding the EU-U.S. Privacy Shield Framework and the United Kingdom in light of the Brexit negotiations. Click To View ... Read More

New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon

As hard as it is to believe, it has almost been one year since the Court of Justice of the European Union made its decision in the "Schrems II" case. The CJEU struck down the EU-U.S. Privacy Shield agreement while upholding standard contractual clauses, albeit with caveats. Since then, privacy professionals have been waiting for conclusive answers to address trans-Atlantic data flows, and there has been some news on that front over the past couple of months. The European Commission unveiled its... Read More

Industry gauges future of Privacy Shield replacement

Privacy professionals continue to wait for news on a replacement for the EU-U.S. Privacy Shield after it was struck down by the Court of Justice of the European Union in its “Schrems II” ruling last summer. Recent reports suggest it may not be anytime soon. European Union Justice Commissioner Didier Reynders said a Privacy Shield replacement is likely years away, citing the challenges in finding a data transfer deal that would protect European citizens’ data from U.S. intelligence agencies. Th... Read More

Will Privacy Shield's demise usher in an era of transparency? Part 2

This is the second installment of a two-part series on Privacy Shield's invalidation. In part one, Schwarz discussed concerns about national security agency access to records and its role in Privacy Shield's demise. Here, Schwarz explores options for transparency as to redress, as well as ways companies can use transparency to bolster confidence and encourage continued data sharing through mechanisms such as standard contractual clauses. As noted in part one of this series, in July, the Court o... Read More

Israel’s Privacy Shield announcement: Tiptoeing between the EU and US

Israel’s Privacy Protection Authority announced Sept. 29 that following the "Schrems II" ruling, data transfers from Israel to the United States can no longer rely on the EU-U.S. Privacy Shield. The decision demonstrates the tightrope act third countries find themselves in as they try to gingerly navigate the treacherous EU-U.S. privacy terrain without disrupting economic or political ties. The U.S. and EU are Israel’s largest trade partners. Moreover, Israel is one of the few countries to have... Read More

Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue?

The Wall Street Journal reported Sept. 9 that Ireland's Data Protection Commissioner issued a preliminary order that Facebook must stop transferring user data to the U.S. The order, which was reported based on anonymous sources "according to people familiar with the matter," follows the Court of Justice of the European Union's ruling on the Schrems v. DPC case in July, in which the court struck down the Privacy Shield agreement between the EU and U.S. citing problems with U.S. surveillance polic... Read More

EU, US initiate talks on potential 'enhanced' Privacy Shield

The U.S. Department of Commerce and the European Commission announced Monday that they have initiated discussions "to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgement of the Court of Justice of the European Union in the 'Schrems II' case." Last month's decision invalidated Privacy Shield and placed additional due diligence requirements on companies transferring European citizens' data to non-EU countries through standard contractual cla... Read More

Schrems, Ustaran react to CJEU's ruling on Privacy Shield, SCCs

Privacy professionals are now operating in a different world following the Court of Justice of the European Union's ruling in the "Schrems II" case.  The EU-U.S. Privacy Shield agreement is now invalid. The CJEU upheld standard contractual clauses; however, third countries must have the proper protections in place when EU data is transferred.  The decision has massive ramifications for international data transfers. The privacy industry now has to both analyze just what exactly the CJEU decided... Read More

The show must go on

It’s already a cliché to say that there’s never a dull moment in privacy. Here comes the Equifax data breach followed in quick succession by Marriott and Capital One; there goes the Cambridge Analytica scandal with the U.S. Federal Trade Commission slapping Facebook a $5 billion fine; make way for Alastair Mactaggart with a new ballot initiative to supersede the California Consumer Privacy Act; now enter "Schrems II" with the invalidation of the EU-U.S. Privacy Shield. Lawyers are running around... Read More

CJEU invalidates EU-US Privacy Shield; SCCs remain valid

In a major development for international data transfers, the European Union's highest court declared Thursday that the EU-U.S. Privacy Shield arrangement — which includes thousands of participating companies — is invalid. The Court of Justice of the European Union, however, did uphold the validity of standard contractual clauses, but there must be protections in place in the third country to which EU data is transferred — specifically with regard to access by public authorities and judicial red... Read More

What Privacy Shield organizations should do in the wake of 'Schrems II'

The Court of Justice of the European Union issued its decision in "Schrems II" Thursday, a landmark decision that invalidates the EU-U.S. Privacy Shield arrangement. Until July 16, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy Sh... Read More

The 'Schrems II' decision: EU-US data transfers in question

On July 16, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. The decision also cast a long shadow over other personal data transfers from Europe to the U.S., given the C... Read More

Standard Contractual Clauses

EU Standard Contractual Clauses (Word documents)

On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP’s Research Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document. Read More

Transfer Impact Assessment Templates

Organizations around the world have begun conducting transfer impact assessments. The IAPP has published the following templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community. Read More

Argentina's AAIP endorses Ibero-American Data Protection Network SCCs

Resolution 198/2023 of the Argentine Agency for Access to Public Information, controlling authority of the Personal Data Protection Law, was published 13 Oct. in the Official Gazette. The resolution recognizes the standard contractual clauses drafted by the Ibero-American Data Protection Network, the RIPD, as a valid mechanism for transferring personal data to nonadequate jurisdictions. About the RIPD and its SCCs Established in 2003, the RIPD is an association of data protection authorities f... Read More

Not-so-standard Contractual Clauses: Comparing Global Data Transfer Tools (IAPP Global Privacy Summit 2023)

Panelists explore how different cross-border model contracts compare — identifying common pain points, issues and significant differences between transfer regimes emerging around the world. They discuss the Ibero-American model clauses, ASEAN model contractual clauses and other SEA national rules, the EU’s standard contractual clauses, and assess how these approaches overlap and vary from one another. Read More

A look at what's in China's new SCCs

The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More

Chinese SCCs are here: Are you ready?

Original broadcast date: March 14, 2023 On Feb. 24, the Cyberspace Administration of China released the long-awaited Chinese standard contractual clauses. They take effect June 1. Join IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, for a conversation with Reed Smith Beijing Tech/Data Partner Barbara Li, CIPP/E, on what implementing the new SCCs means in practice and where you should be focused now. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn p... Read More

RIPD publishes guidelines for international data transfers

The Ibero-American Data Protection Network, the RIPD, released guidance documents for implementing standard contractual clauses for international data transfers and transfer agreements. The guidelines aim to outline how and when SCCs should be used, as well as why the clauses are necessary and appropriate. Additionally, the guidelines explain principles for responsibility when transferring data to a third country without adequate data protection measures.Full Story... Read More

How China's draft SCCs compare with EU SCCs

On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More

European Commission publishes Q&A on SCCs for data transfers

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”Full Story... Read More

Why it is unlikely the announced supplemental SCCs will materialize

The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers). This announcement is a change in course for the EC. W... Read More

Can the new standard contractual clauses work for small business?

The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for p... Read More

Swiss DPA approves use of European Commission's SCCs

Switzerland's Federal Data Protection and Information Commissioner announced it will recognize the European Commission's updated standard contractual clauses as a data transfer mechanism. FDPIC noted this approval is only granted if "necessary adaptations and amendments are made" to level with Swiss law. Editor's note: The IAPP's Omer Tene broke down aspects of the EU's new SCCs with Bird & Bird's Ruth Boardman in June.Full Story... Read More

Getting acclimated with updated SCCs

The release of new standard contractual clauses for the facilitation of data transfers was not a surprise in EU data protection circles, but it certainly wasn't something professionals could necessarily brace for. Since the European Commission's announcement June 4, professionals have tried to digest updated language, requirements and conditions for all parties entering into a data transfer agreement. On top of that effort to comprehend is the task of sorting through the various timelines in pl... Read More

Top-10 do’s and don’ts for service providers implementing the new SCCs with EU customers

The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the Official Journal. The new SCCs are a mechanism companies can use to address the restriction under Article 44 in the EU General Data Protection Regulation on the cross-border transfer of personal data to third countries. Given the timing requirements in the commission's decision, the U.S. and other service providers located in third countries should expe... Read More

The updated standard contractual clauses — A new hope?

And so, at last, they’re here. Met with a level of anticipation — and, it must be said, apprehension — equal only to the announcement of a new Star Wars film, the new European Union standard contractual clauses for “the transfer of personal data to third countries” (that’s international transfers, to you and me) were adopted by the European Commission June 4, 2021. For those privacy professionals who are slightly longer in the tooth, this won’t have been the first time they’ll have seen a “new”... Read More

New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon

As hard as it is to believe, it has almost been one year since the Court of Justice of the European Union made its decision in the "Schrems II" case. The CJEU struck down the EU-U.S. Privacy Shield agreement while upholding standard contractual clauses, albeit with caveats. Since then, privacy professionals have been waiting for conclusive answers to address trans-Atlantic data flows, and there has been some news on that front over the past couple of months. The European Commission unveiled its... Read More

What to expect when you’re expecting… SCCs — Canadian edition

Just one day following the release of the European Data Protection Board’s post-"Schrems II" guidance for international transfers of EU personal data, the European Commission issued two sets of draft standard contractual clauses that merit close attention by Canadian businesses that process EU personal data. The first draft standard was for SCCs for international transfers of EU personal data, which will replace the SCCs based on Directive 95/46 with an updated version that incorporates the "Sch... Read More

Web Conference: 'Schrems II': What the EDPB Recommendations and Modernized SCCs Mean for You

Original broadcast date: Dec. 9, 2020 Since the Court of Justice of the European Union’s ruling in "Schrems II", companies have been eagerly anticipating detailed guidance from regulators in how to manage EU data transfers to third countries, and particularly those that rely on standard contractual clauses. Those draft recommendations have now been released by the European Data Protection Board, as well as new draft SCCs by the European Commission. Join OneTrust DataGuidance for a webinar discussing the recommendations, an overview of the new SCCs and the way ahead for international data transfers. Read More

European Commission publishes proposed replacement SCCs

On Nov. 12, 2020, the European Commission published a draft implementing decision on new standard contractual clauses for the transfer of personal data to third countries. The clauses try to reflect what is required under the "Schrems II" judgment and also to help those transferring data incorporate safeguards for data transfers that go above and beyond the current SCCs. They also address known deficiencies in the current SCCs — catering for data transfers by EU processors to sub-processors and ... Read More

New EU SCCs: A modernized approach

On Nov. 12, 2020, the European Commission charted a new path for global data protection. With privacy professionals still reeling after dissecting the detailed recommendations on supplementary measures put forward by the European Data Protection Board the day prior, it is possible some consequential elements of the European Commission’s draft implementing decision on standard contractual clauses for the transfer of personal data to third countries slipped past unnoticed. The commission’s draft ... Read More

What to expect on revised standard contractual clauses

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs in early September, Commissioner for Justice Didier Reynders expressed hope that the long-awaited revision of standard contractual clauses would be finalized by the end of this year.  This statement undoubtedly caught the attention of the privacy community. Many privacy professionals are under intense pressure from their organizations to continue with the transfer of EU personal data to countries ou... Read More

Supplementing SCCs to solve surveillance shortfalls

By invalidating the EU-U.S. Privacy Shield but not rejecting wholesale the use of standard contractual clauses to transfer data to the U.S., the Court of Justice of the European Union in "Schrems II" left open the possibility that such transfers could continue. However, it emphasized that exporters and importers may need to adopt additional safeguards when using SCCs to ensure an adequate level of protection for personal data transferred to the U.S. Until now, commentators have seemed unsure as... Read More

BCRs as a robust alternative to Privacy Shield and SCCs

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

Additional News and Resources

Transfer Impact Assessment Templates

Organizations around the world have begun conducting transfer impact assessments. The IAPP has published the following templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community. Read More

EU Standard Contractual Clauses (Word documents)

On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP’s Research Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document. Read More

Functions of EU-US Data Privacy Framework take shape

The proposed Artificial Intelligence Act and a potential advertising technology shakeup courtesy of Meta has taken the EU by storm in recent months. It's a notable shift in the spotlight from the EU-U.S. Data Privacy Framework, which is quietly coming online in the face of ongoing legal questions. Representatives involved in the operationalization of the DPF since its adoption in July spoke glowingly at the IAPP European Data Protection Congress in Brussels about the strides being made to help ... Read More

Reynders announces European Commission's latest international data transfer plans

Since taking on the role of European Commissioner for Justice in 2019, Didier Reynders said a top priority was developing a new trans-Atlantic framework for data transfers following the invalidation of the EU-U.S. Privacy Shield. With the EU-U.S. Data Privacy Framework now in place, Reynders is widening the scale of the EU's efforts on data flows. On the keynote stage at the IAPP Europe Data Protection Congress 2023 in Brussels, Reynders highlighted a conference being planned for next year that... Read More

Data without borders: EU e-Evidence package facilitates access to private data across jurisdictions

On 27 June 2023, the EU formally adopted a novel set of rules regarding cross-border access to data by law enforcement during criminal investigations. The electronic evidence package, Regulation (EU) 2023/1543, includes a regulation with internal EU rules on law enforcement data access and a directive with compliance requirements for service providers receiving production and preservation requests.   The package represents a notable advancement in criminal justice in cyberspace because it allow... Read More

Argentina's AAIP endorses Ibero-American Data Protection Network SCCs

Resolution 198/2023 of the Argentine Agency for Access to Public Information, controlling authority of the Personal Data Protection Law, was published 13 Oct. in the Official Gazette. The resolution recognizes the standard contractual clauses drafted by the Ibero-American Data Protection Network, the RIPD, as a valid mechanism for transferring personal data to nonadequate jurisdictions. About the RIPD and its SCCs Established in 2003, the RIPD is an association of data protection authorities f... Read More

Why should my company join the EU-US Data Privacy Framework?

The EU-U.S. Data Privacy Framework is now fully effective. U.S. companies that participate in the DPF are deemed to provide an adequate level of protection for personal data transfers received from the EU within the meaning of the EU General Data Protection Regulation. Some companies may be asking why this matters. Why should my company join DPF?    There is no one-size-fits-all answer to this important question. Companies differ with respect to business operations, risk tolerance and existing... Read More

UK-US Data Bridge becomes law, takes effect 12 Oct.

The distance between London and Washington is 3,674 miles. Despite the distance, it is, and has long-been, a well-traveled journey. In a former role, it is a journey I made on a number of occasions in pursuit of today's news. The safe passage of data between the age-old friends and signatories of the Atlantic Declaration has been subject to some turbulence over recent years. "Schrems I" in October 2015 and "Schrems II" in July 2020 were paradigm-shifting moments for the stability of trans-Atlan... Read More

EU-US data adequacy litigation begins

We are off to the adequacy races, again. The first horse to bolt is very often the first to reach the first fence. While EU litigation has many fences, there's only ever one first fence: admissibility. Broadly speaking, there are two main routes by which an adequacy decision (as with other EU regulatory instruments) can be struck down. A ruling by the EU General Court, having adjudicated on a direct action for annulment (under Article 263 of the TFEU). A ruling by the Court of Justice of th... Read More

EU-US Data Privacy Framework adopted, what now?

With the adoption of the EU-U.S. Data Privacy Framework, European and U.S. organizations and privacy professionals are facing a new framework for data transfers across the Atlantic. Focus is quickly turning to implementation and what's next. "The reason this is all so important is that data flows and the transfers of personal data are a key enabler for basically all elements of the transatlantic economic relationship. It's something so fundamental that it really underpins all elements of commer... Read More

The EU-US Data Privacy Framework in practice

On 10 July, the European Commission deemed the EU-U.S. Data Privacy Framework adequate, providing enhanced protections to EU individuals as well as much-needed assurance for EU and U.S. businesses that personal data can again flow across the Atlantic in compliance with the EU General Data Protection Regulation. Read More

European Commission adopts EU-US adequacy decision

The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge. "Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or a... Read More

The Atlantic Declaration: Data bridges, privacy and AI

On 8 June, U.K. Prime Minister Rishi Sunak and U.S. President Joe Biden announced the Atlantic Declaration: A Framework for a Twenty-First Century U.S.-UK Economic Partnership. It is the latest, most high level (it doesn’t get higher) and most conclusive development in the development of a comprehensive U.S.-U.K. partnership on data and artificial intelligence. Data Sharing data across borders is a fact of life for all organizations doing businesses or operating internationally. Yet, doing so ... Read More

Unpacking the DPC's data transfers decision

Ireland’s Data Protection Commission released its final and long-anticipated decision in the Meta data transfers case. What does the decision mean for Meta’s data transfers to the United States? What does it mean for other companies relying on standard contracts to transfer data? Read More

Meta fined GDPR-record 1.2 billion euros in data transfer case

Ireland's Data Protection Commission handed down a long-awaited enforcement action against Meta Platforms Ireland early Monday morning with a record fine of 1.2 billion euros. The fine, which is the highest to date under the nearly five-year-old EU General Data Protection Regulation, was accompanied by an order requiring Meta Ireland-owned Facebook to suspend future transfers of personal data to the U.S. within five months of the DPC's decision and to bring its processing operations into compli... Read More

A trans-Atlantic comparison of a real struggle: Anonymized, deidentified or aggregated?

Nonpersonal data is at the forefront of modern data analytics. In general, anonymized or deidentified personal data is not in the scope of privacy and data protection regulations, offering freedom from the restrictions of privacy compliance while allowing for greater data utilization. However, despite the growing demand for techniques to anonymize or deidentify personal data, this issue remains a topic of intense discussion at the intersection of privacy law and engineering. One part of the pro... Read More

In wake of global data transfer complexity, need for multilateral treaty grows

Global data flows have been a source of geopolitical consternation among democratic allies around the world for the last decade, since former U.S. National Security Agency contractor Edward Snowden exposed the agency's global system of bulk electronic surveillance. At the heart of the matter are national security and law enforcement demands to access private sector data within the U.S., EU and other democratic nations despite the lack of a transnational baseline legal standard to do so. At the... Read More

EDPB taskforce releases 'Schrems II' claims report

The European Data Protection Board published a report from its taskforce of European Economic Area data protection authorities on 101 complaints filed by NOYB regarding legal data transfers following the Court of Justice of the European Union's "Schrems II" judgment. The report shows a common position among DPAs on EU-U.S. transfers using Google Analytics and Facebook Business Tools and their compliance with requirements under Chapter V of the EU General Data Protection Regulation. Positions tak... Read More

EDPB/DPC decisions on data transfers: What is expected?

Original broadcast date: 14 April 2023 In this LinkedIn Live, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, and Research and Insights Director Joe Jones discuss the European Data Protection Board's just-announced-but-not-yet-released binding decision on Facebook’s data transfers to the U.S. and Ireland's Data Protection Commission's final decision to come. What is the expected timeline? What could the decisions entail? What will they mean for other companies relying... Read More

Not-so-standard Contractual Clauses: Comparing Global Data Transfer Tools (IAPP Global Privacy Summit 2023)

Panelists explore how different cross-border model contracts compare — identifying common pain points, issues and significant differences between transfer regimes emerging around the world. They discuss the Ibero-American model clauses, ASEAN model contractual clauses and other SEA national rules, the EU’s standard contractual clauses, and assess how these approaches overlap and vary from one another. Read More

Privacy beyond checkmarks: How to Navigate Cross-border Transfers

Original broadcast date: 30 March 2023 In this web conference, panelists will address the latest developments and insights on cross-border restrictions, including in the U.S., the EU and U.K. General Data Protection Regulation, and the Asia-Pacific region, identifying and highlighting cross-border data transfer risks within your organization, how to operationalize data transfers to ensure alignment with various regulations, leveraging a modern framework with data intelligence, regulatory insights and intelligent access controls to automate safe data sharing. Read More

EU-U.S. Data Privacy Framework: New Independent, Binding Redress Mechanism

Original broadcast date: 27 March 2023 In this web conference, you will learn directly from the source how the redress process functions from beginning to end. In this session, the panelists aim to address key questions such as how the redress mechanism will work overall, what the Attorney General designation of a country is, what is involved at the ODNI CLPO stage of review, how DPRC serves its function as the second level of redress and what steps the CLPO or DPRC can take to remedy a covered violation of law. Read More

Chinese SCCs are here: Are you ready?

Original broadcast date: March 14, 2023 On Feb. 24, the Cyberspace Administration of China released the long-awaited Chinese standard contractual clauses. They take effect June 1. Join IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, for a conversation with Reed Smith Beijing Tech/Data Partner Barbara Li, CIPP/E, on what implementing the new SCCs means in practice and where you should be focused now. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn p... Read More

International data transfers: Time to rethink binding corporate rules

International data transfers continue to be a top compliance and legal issue for both European and global organizations, requiring continuous reevaluation and increasing resources. In its recent guidance from December 2022, the European Data Protection Board provided draft guidance with updated interpretations and requirements regarding the use of the binding corporate rules transfer mechanism. In doing so, the EDPB missed an opportunity to address BCRs in a systematic, strategic and forward-th... Read More

EDPB welcomes ‘improvements’ to EU-US adequacy decision, concerns remain

The European Data Protection Board released its nonbinding opinion on the draft adequacy decision based on the EU-U.S. Data Privacy Framework, welcoming what it called “substantial improvements” while expressing concern and requesting clarification on several points. In a press release, the EDPB applauded requirements of necessity and proportionality for U.S. intelligence gathering of data, as well as a new redress mechanism for EU data subjects. However, the EDPB has concerns relating to "cer... Read More

A look at what's in China's new SCCs

The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More

MEPs urge European Commission to reject EU-US adequacy

The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More

EU-US draft adequacy decision arrives, EU process begins in earnest

The next domino in the finalization of the proposed EU-U.S. Data Privacy Framework has fallen. The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows. The U.S. executive order committing to an overhaul of foreign intelligence agencies' access to personal data and creation of a new redress system for EU citizens spurred the preliminary adequacy ackno... Read More

Pressure points remain with EU-US Data Privacy Framework

While a final resolution is near, there's been more wait-and-see periods than action during negotiations for the EU-U.S. Data Privacy Framework. First it was months of waiting in between the provisional EU-U.S. agreement on data transfers and the executive order securing U.S. national security commitments. Now concerned parties are set to stand by another six months at least while the European Commission works through a potential adequacy decision. Privacy professionals stood mostly idle throu... Read More

Data transfers: A triangle with zero trust, not zero risk?

Following the well-known “Schrems II” case in the Court of Justice of the European Union, the policy objective behind recent regulatory interpretations of the EU General Data Protection Regulation transfers restriction is to prevent third-country authorities’ “excessive” access to EU residents’ data. But in this context, what matters more than physical data location is control of logical access to intelligible data. Given the existence of networking and the internet, a person can have intelligi... Read More

DPC 2022: EU-US Data Privacy Framework on track, Schrems challenge to come

Well-known and influential names entrenched in the ongoing discussions around EU-U.S. data flows made their presence felt in back-to-back breakout sessions to cap off the final day of the IAPP Europe Data Protection Congress in Brussels, Belgium. EU and U.S. government officials took the stage focused on further touting and cementing the pending EU-U.S. Data Privacy Framework's workability. NOYB Honorary Chairman Max Schrems threw cold water on those notions, all but announcing he will attempt ... Read More

Data transfers: Could a technical solution be the future?

International data transfer regulation is rooted in heavy manual processes and paperwork. It impacts business decisions and leaves room for risk. Legal and regulatory teams have to jump through a host of complexities — requiring the assessment of specific circumstances of data transfers like relevant country laws and practices and any additional contractual, technical or organizational safeguards. As tedious as international data transfers may be, they are an essential pillar for global economi... Read More

Operating the U.S. Cloud Under Schrems II

Original broadcast date: 3 Nov. 2022 The adoption of cloud infrastructure has benefitted organizations across virtually every industry, helping them reduce IT costs and better manage their data. However, Schrems II and its mandates regarding data surveillance create compliance problems for U.S. cloud providers and the global enterprises that want to use their services.  This web conference will address the legal issues surrounding the use of U.S.-operated clouds – and the ability of technical controls to help supplement SCCs and BCRs to buttress transfer-impact assessments for lawful data transfers. Read More

The EU-US Data Privacy Framework and next steps for data transfers

Original broadcast date: Oct. 7, 2022 In this LinkedIn Live event, IAPP's Caitlin Fennessy, CIPP/US, Alton & Bird's Peter Swire, CIPP/US, American University Washington College of Law's Alex Joel, CIPP/G, CIPP/US, and Future of Privacy Forum's Gabriela Zanfir-Fortuna discuss U.S. President Joe Biden's executive order implementing the EU-U.S. Data Privacy Framework. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

Implications of EU-US Data Privacy Framework as adequacy decision looms

Now that U.S. President Joe Biden has issued an executive order to implement the EU-U.S. Data Privacy Framework, privacy professionals are preparing to resume transferring personal data across the Atlantic without being bound by alternative means, like standard contractual clauses, for the first time in more than two years. During a session at the IAPP Privacy. Security. Risk. 2022 conference in Austin, Texas, IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, sat down with U.S. Department... Read More

The redress mechanism in the Privacy Shield successor: On the independence and effective powers of the DPRC

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.  As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

White House executive order brings EU-US data flow deal closer to finish line

The wait for a finalized agreement to solidify EU-U.S. data flows is winding down. The latest step forward in the process came with U.S. President Joe Biden's long-awaited executive order mandating new legal safeguards over U.S. national security agencies' access and use of EU and U.S. personal data. The order comes more than six months after Biden and European Commission President Ursula von der Leyen announced an agreement in principle on the EU-U.S. Data Privacy Framework. Talks for that agr... Read More

The EU-US Data Privacy Framework: A new era for data transfers?

The newly released White House executive order implementing the long-awaited EU-U.S. Data Privacy Framework clears a path for trans-Atlantic business and diplomacy alike. Since the Court of Justice of the EU’s “Schrems II” decision invalidated Privacy Shield more than two years ago, personal data flows from the EU to the U.S. have been legally questionable. Some might argue, data transfers were effectively banned. Enforcement actions have only trickled out, but their precedential and deterrent ... Read More

'Data transfer theater:' The US and Israel take the stage

This week, U.S. President Joe Biden is expected to sign an executive order cementing the legal basis for the Trans-Atlantic Data Privacy Framework, aka “Privacy Shield 2.0.” The executive order will likely create a redress mechanism, which will allow European individuals to challenge — or at least gain a modicum of insight into — surveillance practices by U.S. national security agencies. On a smaller scale but in the same vein, the government of Israel issued a draft decision Monday, announcing... Read More

UK-US data access agreement takes effect

The U.S. Department of Justice announced the Data Access Agreement concerning criminal data sharing between the U.K. and the U.S. entered into force Oct. 3. The two countries will share data under "qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures." The DOJ added that the agreement brings "more timely and efficient access to electronic data required in fast-moving investigations through the use of ... Read More

China cross-border data transfer mechanism and its implications

China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law. One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and... Read More

Will China’s new certification rules be a popular legal path for outbound data transfers?

On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL. Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data t... Read More

EDPB releases opinion on EU-Russia data transfers

The European Data Protection Board published an opinion on data transfers between EU member states and Russia. The board stated Russia is "no longer a contracting party" to EU legal frameworks and protocols following sanctions related to its war in Ukraine. The lack of EU recognition or an adequacy decision means transfers involving Russian companies can only occur "using one of the other transfer instruments provided for in Chapter V (of the EU General Data Protection Regulation)."Full Story... Read More

Irish DPC files draft order to halt Meta's data transfers to US

On Thursday, Ireland's Data Protection Commission sent a draft decision to its EU data protection authority counterparts in which it proposes to halt Facebook parent company Meta from transferring personal data from the EU to the U.S. If approved by the other DPAs, Meta-owned services Facebook and Instagram may be shuttered in the EU.  In July 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield Framework and cast a shadow over the use of standard contractual ... Read More

The Global Cross Border Privacy Rules Forum

Original broadcast date: June 7, 2022 In this LinkedIn Live event, IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, discusses how this new forum will work with three individuals at the center of these talks: U.S. International Trade Administration Global Data Policy Director Shannon Coe, Deputy Commissioner of Singapore’s Personal Data Protection Commission Zee Kin Yeong, and U.K. Department for Digital, Culture, Media and Sport International Data Transfers Deputy Director Joe Jones. Wat... Read More

CNIL issues compliance notices, Q&A for data transfers with Google Analytics

France's data protection authority, the Commission nationale de l'informatique et des libertés, released a question-and-answer document related to an unidentified number of compliance notices issued to companies over data transfers carried out through Google Analytics. The Q&A explains aspects of the notices, including the 30-day compliance period, and the CNIL's stance on lawful and unlawful uses of Google Analytics. Editor's note: The IAPP's Jennifer Bryant wrote on the initial CNIL decisi... Read More

European Commission publishes Q&A on SCCs for data transfers

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”Full Story... Read More

US Commerce Dept. announces 'historic' Global CBPR Forum for data transfers

Transborder data flows are among the most significant and complex issues in the privacy profession at the moment. As the U.S. and EU work to finalize the highly anticipated Trans-Atlantic Data Privacy Framework, an announcement involving the other side of the North American continent aims to help mitigate some global complexity and promote data flows with privacy protections.  Calling it "a historic moment for international cooperation in the digital sector," U.S. Department of Commerce Secreta... Read More

Officials 'thrilled' with EU-US data flows agreement, 'work continues' on finalization

The state of EU-U.S. data flows has unquestionably been the most talked about issue among data privacy professionals since the invalidation of EU-U.S. Privacy Shield. Despite excitement around the recent agreement in principle to stabilize data flows, remarks from involved parties at the IAPP Global Privacy Summit 2022 indicate the finish line is in sight but not quite on the immediate horizon. The political agreement announced by EU-U.S. officials March 25 for the Trans-Atlantic Data Privacy F... Read More

EU, US agree 'in principle' to new trans-Atlantic data agreement

U.S. President Joe Biden and European Commission President Ursula von der Leyen announced Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement. Importantly, the agreement is in principle only at this point, and details about the deal are not yet known.  In a press conference from Brussels, Biden said, "Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, prom... Read More

Top 5 operational impacts of China's PIPL — Part 5: International data transfers

China’s Personal Information Protection Law, which is still in the process of being fleshed out through implementing regulations and official guidance, provides a regulatory framework that governs the cross-border transfer of personal information. This article focuses on PIPL and the transfer mechanisms it proposes to safeguard personal information transferred out of China. Note that the PIPL is only one piece in the patchwork of Chinese legislation that addresses cross-border data transfers, a... Read More

Data portability in the EU: An obscure data subject right

The EU General Data Protection Regulation aims to empower individuals and give them "control" over their personal data. To do this, data subjects have been granted various rights, including the right to data portability, which did not exist under the Data Protection Directive. Contrary to the well-known access right, data portability allows data subjects to obtain and reuse their personal data, at least in theory. In January 2022, we asked data protection expert lawyers in our Lex Mundi Network... Read More

Data transfers, UK GDPR reform top of mind at DPI: UK

Among the many topics top of mind for privacy pros at the IAPP Data Protection Intensive: UK in London is proposed reforms to the UK General Data Protection Regulation and the future of transborder data flows. This comes as the U.K.'s post-Brexit international data transfers agreement officially went into force Monday and negotiations around the current trans-Atlantic impasse continue behind the scenes.  A day after U.K. Information Commissioner John Edwards made his first major public speech s... Read More

Data Transfer Enforcement, Risk and Compliance: What You Need to Know Now

Original Broadcast Date: February 2022 In this LinkedIn Live event, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, Future of Privacy Forum Vice President Gabriela Zanfir-Fortuna, Bird & Bird Partner Ruth Boardman and American University Senior Project Director Alex Joel, CIPP/G, provide an in-depth discussion on what organizations should know about recent enforcement actions, ongoing investigations and current compliance options as we await a diplomatic solution.... Read More

Privacy and security for big data processing in the financial sector

Big data analytics in the financial sector around the world has become increasingly crucial to improve business efficiency, reduce operational costs and address long-standing business challenges. The term big data was coined in the early 1990s and, as the name suggests, it is “big.” Not just in size, but also in terms of speed of generation and diversity, which is why traditional computer algorithms are often not able to process big data as efficiently as conventional data. For example, a mass... Read More

Post-‘Schrems II': Can EU regulators set aside a risk-based approach for conducting transfer impact assessments?

The recent public statements from EU data protection authorities, including local regulators, and the European Data Protection Board, notably at the IAPP Europe Data Protection Congress in November 2021, have raised some legitimate concerns among the privacy community. Some are academic, others practical. Most are related to international transfers of personal data under the EU General Data Protection Regulation.  From clarity to perplexity A first concern stems from the EDPB's guidelines date... Read More

Doing business across borders — A global future or a splintered internet?

In one of many quotable Shakespeare-isms, the famous bard wrote in “The Tempest,” “what’s past is prologue.” In the instance of data transfers, national borders and digital trade, the “prologue” stretches back to the early days of the Y2K era with a landmark case against Yahoo! — the big technology player of the day. A French court blocked Yahoo! from selling Nazi memorabilia to French users on its auction sites. Yahoo!’s lawyers argued this would be technically impossible, as the internet “has... Read More

EDPB discusses data transfer guidance considerations, key points

With the recent adoption of guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation relating to international data transfers, the European Data Protection Board sought to answer a question that has been debated going back five years to the GDPR's original drafting. But as is usually the case when addressing the complex topic of transfers, answering one question has spawned so many others. EDPB Secretariat Head Isabelle Vereecken said during a Lin... Read More

New EDPB guidelines define international transfers: Dancing in place

On Nov. 18, the European Data Protection Board adopted new guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation. The guidelines answer the threshold question that underpins GDPR’s data transfer regime — what is a transfer? In short, the EDPB explains, a transfer occurs when personal data moves from an organization subject to the GDPR to a separate organization outside of EU territory. Simple, isn’t it? The answer seems more than obvious, but ... Read More

A globalized CBPR framework: Peering into the future of data transfers

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable?

On Nov. 18, the European Data Protection Board adopted draft guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the EU General Data Protection Regulation. The draft guidelines are open to public consultation until the end of January. GDPR regulates transfers of data: But what is a transfer? Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizatio... Read More

Confusion about meaning of ‘Schrems II’ impedes global data flow

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

Companies urge data transfer deal before US-EU Trade and Technology Council

During the inaugural meeting of the U.S.-EU Trade and Technology Council Wednesday, companies and trade groups urged officials to reach a deal on trans-Atlantic data flows, saying an agreement is key to the economy and digital innovation, The Wall Street Journal reports. “Trans-Atlantic data flows are enablers for everything we want to see done in technology,” Information Technology Industry Council Executive Vice President of Policy Rob Strayer said.Full Story... Read More

The UK's new plans for data transfers: An interview with Joe Jones

On Aug. 26, the United Kingdom announced big new plans for international data transfers. As one of the world’s largest economies, a long-time leader in multilateral privacy fora, and a frequent interpreter between European and U.S. approaches to data protection, the U.K. is well-positioned to innovate in this endlessly challenging and integral policy arena. Last week, I had the opportunity to discuss the U.K.’s plans with Joe Jones, Deputy Director of International Data Transfers at the U.K. De... Read More

FAQs for UK ICO's data transfer consultation – including approach to EU SCCs

On Aug. 11, the U.K. Information Commissioner's Office launched a consultation on data transfers. The consultation is relevant to anyone who transfers personal data from the U.K. or who provides services to U.K. organizations. The consultation asks whether it would be helpful for the ICO to approve an addendum, allowing the EU standard contractual clauses to be used for transfers of personal data from the U.K. Even if organizations have no comments on the ICO's other points, this point alone is ... Read More

Can the new standard contractual clauses work for small business?

The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for p... Read More

EU considers canceling trade, data flow talks with US

Data protection may not be at the forefront of global policy discussions, but it's certainly gaining importance and notoriety. So much so it's now being used as a potential bargaining chip in foreign relations and politics. Two EU officials told Politico the planned EU-U.S. Trade and Technology Council meeting Sept. 29 in Pittsburgh, Pennsylvania, is now in jeopardy with the EU threatening to cancel over issues between the U.S. and France related to a U.S.-U.K. submarine contract with Australia... Read More

Researchers seek to simplify transfers of EU health data

In a piece for Nature Medicine, science and medical researchers outlined the need to ease data transfer barriers on health data sharing outside the EU for research purposes. The group argued COVID-19 has shown "international collaborations and global data sharing are essential for health research," but current restrictions on data sharing for non-pandemic-related data may bring "damaging effects." They noted the high threshold for anonymized data under the EU General Data Protection Regulation a... Read More

How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them

The Information Technology and Innovation Foundation released a report on increasing prevalence of global barriers to international data transfers. Measures to localize data have spiked since 2017, with the number of countries restricting cross-border data flows jumping from 35 to 62 and overall restrictions from 67 to 144. The ITIF listed China, Indonesia, Russia and South Africa as the countries most restrictive on data flows. The group said policymakers should work to avoid data localization,... Read More

A year after 'Schrems II' ruling, uncertainty remains

A whole year has passed since the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield and effectively shook the privacy space. Privacy professionals are still considering whether true progress been made toward a solution to stabilize and safeguard international data transfers during the last 365 days. The answer varies depending on who's being asked. IAPP Research Director Caitlin Fennessy, CIPP/US, Hogan Lovells Partner Eduardo Ustaran, CIPP/E, and NOYB Founder Max Sc... Read More

'Schrems II': A Year On

Original Broadcast Date: July 2021 One year ago, the Court of Justice of the European Union’s “Schrems II” decision shook the privacy profession and global data transfers by invalidating the EU-U.S. Privacy Shield Framework and calling into question broader data transfers. A year hence, the tremors continue. The decision spawned new standard contractual clauses and a host of detailed guidance on supplementary measures to ensure equivalent protection and mitigate government surveillance. And yet... Read More

The road ahead in an uncertain world of cross-border data transfers

The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the official journal. The new SCCs arrive at a critical juncture in the regulation of cross-border data transfers, as there is significant uncertainty in the market around how to address cross-border data transfer restrictions. What is the legal context for the introduction of the new SCCs?  The new SCCs are a mechanism companies can use to address the r... Read More

European Commission adopts UK adequacy decisions

Almost five years to the day from when the Brexit vote took place, the questions around U.K. adequacy have been laid to rest, at least for now. The European Commission announced it officially adopted a pair of adequacy decisions for the U.K., one for the EU General Data Protection Regulation and another for the Law Enforcement Directive. The announcement comes just days before the "bridging mechanism" for data transfers between the EU and U.K. was set to expire. "The U.K. has left the EU but t... Read More

EDPB rapporteur details board's supplementary measures

The EU finally dropped the other shoe this week in regards to its international data transfer conundrum. On June 21, the European Data Protection Board followed up the European Commission's introduction of revamped standard contractual clauses for personal data transfers with its final recommendations on supplementary measures for transfers. The recommendations themselves feature a six-step process organizations must take to map data transfers and the mechanisms used for them. The process invol... Read More

EDPB’s data transfer recommendations adopt a risk-based approach with teeth

On June 21, the European Data Protection Board issued its highly anticipated final recommendations on supplementary measures for data transfers. The recommendations outline a process organizations can follow to transfer personal data outside the European Economic Area to ensure compliance with the "Schrems II" judgment. The initial draft of the recommendations, released in November 2020, took the data protection world by surprise by preventing organizations from considering the “subjective” lik... Read More

The future of data localization and cross-border transfer in China: a unified framework or a patchwork of requirements?

Until now, China’s data localization and cross-border data transfer requirements were not laid out in one piece of legislation but could be found scattered in the Cybersecurity Law and its draft implementing regulations, as well as in various sectoral regulations, which contain specific requirements applicable to data processed by entities in specific sectors.    With the June 10 enactment of the Data Security Law that will take effect Sept. 1 and the upcoming Personal Information Protection La... Read More

EU-US data transfer deal still work in progress, despite new alliance

U.S. President Joe Biden and European Commission President Ursula von der Leyen have put pen to paper on the establishment of a new EU-U.S. Trade and Technology Council, pledging to foster greater synergies in areas including artificial intelligence, green tech, and security. But on the key issue of establishing a new trans-Atlantic data transfer accord, talks this week did not break the deadlock. Ahead of the EU-U.S. summit in Brussels Tuesday, rumors had surfaced suggesting the U.S. administr... Read More

Demystifying data transfers to US data importers: Looking at ‘Schrems II’ from a different angle

On Nov. 10, 2020, the European Data Protection Board issued a draft version of a recommendation on measures to supplement data transfer rules to ensure compliance with the EU General Data Protection Regulation. The measures aren't binding because the document is not final yet. The EDPB made the recommendation after the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield July 16, 2020, and found that organizations relying on the standard contractual clauses may need to i... Read More

The Irish High Court judgment on EU-US data flows

The Irish High Court's May 14 judgment concerning Facebook's EU-U.S. data transfers sheds light on the Irish Data Protection Commission's and the court's initial views on issues with significant global implications. In the judgment, Justice David Barniville dismissed Facebook Ireland's arguments that the process followed by Ireland's Data Protection Commissioner in its own-volition inquiry into Facebook Ireland's EU-U.S. data transfers was flawed. This allows the inquiry to proceed.  As a proc... Read More

Why the Biden administration should 'go big' on global data transfers solution

We are all hopeful the U.S. government can reach an agreement with the European Commission and other EU authorities on a so-called "Privacy Shield 2.0" in the near term. Such an updated arrangement is essential to provide certainty to trans-Atlantic business and assure a high level of protection for personal data transfers.   But what's next? Over recent years, we have witnessed the Court of Justice of the European Union invalidate one trans-Atlantic commercial data transfer vehicle after ano... Read More

Biden appoints Christopher Hoff to oversee Privacy Shield talks

The Biden administration has selected a privacy veteran for the key post overseeing negotiations for a replacement Privacy Shield. Christopher Hoff, CIPP/E, CIPP/US, CIPM, will serve as deputy assistant secretary for services at the U.S. Department of Commerce, beginning his tenure on inauguration day. Hoff will now become the European Commission’s primary interlocutor in discussions on a framework to protect commercial transfers of personal information across the Atlantic following the Court of... Read More

Do B2B companies not based in the EU need to comply with the GDPR?

I’ve long questioned the extraterritorial scope of the EU General Data Protection Regulation and if non-EU based organizations that engage solely in business-to-business activities fall under the GDPR. The GDPR is at best ambiguous on this issue, and the guidance published to date from the regulators is unhelpful. This issue has been brought into focus because of Brexit and the numerous inquiries I’ve received about whether U.K. B2B companies (with no physical presence in the EU) need to appoi... Read More

Stuck in the middle with you: When US discovery orders hit GDPR

Civil litigants in the United States have broad rights to information — from each other and from others not involved in the litigation, whether or not they are within the U.S. Other countries often have more limited “discovery” rights and often have confidentiality or privacy laws that restrict sharing information or transferring that information across borders, like the EU General Data Protection Regulation. This often generates conflicts for those who are required by U.S. law to deliver evide... Read More

LIBE meeting scrutinizes path forward for EU-US data transfers

There hasn't been much movement on the future of EU-U.S. data transfers nearly two months after the Court of Justice of the European Union rendered its decision to invalidate the EU-U.S. Privacy Shield program. But that may change following a meeting of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs Thursday in Brussels. The LIBE Committee welcomed European Commissioner for Justice Didier Reynders, European Data Protection Board Chair Andrea Jelinek and NOYB Fo... Read More

Is the EU's approach to data transfers the best path forward?

On July 16, 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield framework, sparking debates and discussions among privacy professionals. Perhaps more importantly, the decision gave some interpretation of the standard contractual clauses mechanism and how it should work in the current approach in the EU to personal data transfers outside the EU. But will this decision lead to a crisis in cross-border data flows? Data protection frameworks for transfers outside... Read More

EC calls for harmonization, addresses data transfers in GDPR review

While the EU General Data Protection Regulation has proven to be a valuable framework in the two years since it came into force, it still requires some work regarding proper implementation by EU member states and a potential modernization of cross-border data transfers. That was some of the message put forth by the European Commission in its highly anticipated, two-year GDPR review released Wednesday. In a press conference on the review, European Commission Vice President for Values and Transpa... Read More

Privacy across borders: Enforcement and prescriptive jurisdiction

Before the EU General Data Protection Regulation was effective, we heard tales about how the GDPR covered every business and how even those not within the EU could be subject to fines up to 4% of annual turnover. Now, we are told the same about the California Consumer Privacy Act. These claims are too broad. This article addresses international law issues related to them. Let’s explore them using these hypotheticals: Joe runs a website out of his home in California, but the website targets on... Read More

Announcing the new Cross-Border Data Forum

With cloud computing, law enforcement investigations increasingly seek evidence that is held across borders, in a different country. As we describe in a separate IAPP post, this globalization of criminal evidence is prompting major legislative change and proposals. In 2018 alone, the United States passed the Clarifying Lawful Overseas Use of Data Act to address cross-border issues, and the European Union has proposed its new eEvidence regulation and directive.  To date, there has not been one f... Read More

A look at data transfers under different data protection regulations

Organizations are subject to different regulations to protect personal data that they communicate to overseas recipients for various reasons, including the development of business operations, business relationships or the availability of service providers in third countries. With the EU General Data Protection Regulation, organizations can make international personal data transfer decisions, in the absence of an adequate level decision pursuant to Article 45, using binding corporate rules, stan... Read More

Countdown to GDPR: Part 3 — Cross-border data transfer

The European Union’s new General Data Protection Regulation will go into force May 25, after six years of preparation. It replaces the Data Protection Directive 95/46/ EC and was designed to harmonize data privacy laws across Europe, protecting and empowering all EU citizens.  The rules will apply to all companies that collect the personal information of individuals in the EU, whether the business is based in the European Union or not, and the fines for noncompliance will be extremely onerous. ... Read More

Top 10 operational impacts of the GDPR: Part 4 - Cross-border data transfers

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More