International Data Transfers

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.

Featured Resources Latest News and Resources Standard Contractual Clauses CJEU Cases: Schrems I & II EU-US Privacy Shield APEC Cross-Border Privacy Rules Binding Corporate Rules Regional Resources

Featured Resources

FAQ
on ‘Schrems II’

These frequently asked questions and links to relevant resources from government authorities and privacy practitioners serve as a resource for privacy professionals working to respond to this significant court decision.
Read More

Transfer Impact Assessment Templates

Organizations around the world have begun conducting transfer impact assessments. The IAPP has published the following templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community.
Read More

EDPB discusses key points with data transfer guidelines

The EDPB raised questions following recent guidance to clarify what constitutes a data transfer. This article outlines the EDPB’s thought process and emphasis.
Read More

Latest News and Resources

EU Standard Contractual Clauses (Word documents)

On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP’s Research Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document. Read More

Save This

EU adopts adequacy decision with South Korea

European Commissioner for Justice Didier Reynders and South Korea Personal Information Protection Commission Chair Yoon Jong In formally announced an adequacy agreement between the EU and South Korea for transfers of personal data. The adoption process began in June and included a review from the European Data Protection Board. The European Commission also published a question-and-answer document explaining how it reaches adequacy agreements in general and detailing specifics of the pact with So... Read More

Save This

New EDPB guidelines define international transfers: Dancing in place

On Nov. 18, the European Data Protection Board adopted new guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation. The guidelines answer the threshold question that underpins GDPR’s data transfer regime — what is a transfer? In short, the EDPB explains, a transfer occurs when personal data moves from an organization subject to the GDPR to a separate organization outside of EU territory. Simple, isn’t it? The answer seems more than obvious, but ... Read More

Save This

A globalized CBPR framework: Peering into the future of data transfers

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

Save This

Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable?

On Nov. 18, the European Data Protection Board adopted draft guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the EU General Data Protection Regulation. The draft guidelines are open to public consultation until the end of January. GDPR regulates transfers of data: But what is a transfer? Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizatio... Read More

Save This

	Confusion about the meaning of ‘Schrems II’ impedes global data flows (IAPP, November 2021)
	LinkedIn Live: “UK International Data Transfers Consultation” (IAPP, October 2021)
	Standardizing data-processing agreements globally (IAPP, September 2021)
	Companies urge data transfer deal before US-EU Trade and Technology Council (IAPP, September 2021)
	Sample Data Processing Agreement – Hubspot (Hubspot, September 2021)
	The UK’s new plans for data transfers: An interview with Joe Jones (IAPP, September 2021)
	FAQs for UK ICO’s data transfer consultation – including approach to EU SCCs (IAPP, August 2021)
	Can the new standard contractual clauses work for small business? (IAPP, August 2021)
	EU, US trade, data flow talks back on (IAPP, September 2021)
	EU considers canceling trade, data flow talks with US (IAPP, September 2021)
	Mixed messaging around progress toward EU-US data transfer solution (IAPP, September 2021)
	EU, US progressing on data transfer resolution (IAPP, September 2021)
	Swiss DPA approves use of European Commission’s SCCs (IAPP, August 2021)
	Researchers seek to simplify transfers of EU health data (IAPP, August 2021)
	How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them (Information Technology and Innovation Foundation)
	A year after ‘Schrems II’ ruling, uncertainty remains (IAPP, July 2021)
	LinkedIn Live: “‘Schrems II’: A Year On” (IAPP, July 2021)
	EDPB adopts guidelines on codes of conduct for data transfers (IAPP, July 2021)
	The road ahead in an uncertain world of cross-border data transfers (IAPP, June 2021)
	LinkedIn Live: ‘Data Transfers in Practice’ (IAPP, June 2021)
	European Commission adopts UK adequacy decisions (IAPP, June 2021)
	Web Conference: ‘Schrems II’ Data Transfers Impact: Steps to Protect and Enable Transfers (IAPP, June 2021)
	EDPB rapporteur details board’s supplementary measures (IAPP, June 2021)
	LinkedIn Live: ‘EDPB’s New Recommendations for Post-‘Schrems II’ Data Transfers’ (IAPP, June 2021)
	EDPB’s data transfer recommendations adopt a risk-based approach with teeth (IAPP, June 2021)
	The future of data localization and cross-border transfer in China: a unified framework or a patchwork of requirements? (IAPP, June 2021)
	EU-US data transfer deal still work in progress, despite new alliance (IAPP, June 2021)
	EDPS Case Law Digest: Transfers of personal data to third countries (Office of the European Data Protection Supervisor, June 2021)
	LinkedIn Live: ‘SCC Masterclass: Keys to Implementation’ (IAPP, June 2021)
	Demystifying data transfers to US data importers: Looking at ‘Schrems II’ from a different angle (IAPP, May 2021)
	The Irish High Court judgment on EU-US data flows (IAPP, May 2021)
	Cross-Border Implications for International Companies Post-‘Schrems II’ (IAPP, May 2021)
	Why the Biden administration should ‘go big’ on global data transfers solution (IAPP, February 2021)
	Biden appoints Christopher Hoff to oversee Privacy Shield talks (IAPP, January 2021)
	Do B2B companies not based in the EU need to comply with the GDPR? (IAPP, January 2021)
	Stuck in the middle with you: When US discovery orders hit GDPR (IAPP, January 2021)
	Approved Binding Corporate Rules (IAPP, October 2020)
	CIPL white paper: A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision (CIPL, September 2020)
	NOYB survey: How companies addressed their international data transfers after the CJEU’s ruling in Schrems II (NOYB, September 2020)
	LIBE meeting scrutinizes path forward for EU-US data transfers (IAPP, September 2020)
	Is the EU’s approach to data transfers the best path forward? (IAPP, August 2020)
	EC calls for harmonization, addresses data transfers in GDPR review (IAPP, June 2020)
	A Roadmap for Cross-Border Data Flows: Future-Proofing Readiness and Cooperation in the New Data Economy (World Economic Forum, June 2020)
	The Guide to U.S. Government Practice on Global Sharing of Personal Information, Third Edition (IAPP, March 2020)
	The Privacy Advisor Podcast: What will happen to cross-border data transfers? (IAPP, October 2019)
	Critical Cybersecurity Compliance Issues for Canadian and U.S. Companies Operating across the Border (Business Law Today, June 2019)
	Privacy across borders: Enforcement and prescriptive jurisdiction (IAPP, April 2019)
	Announcing the new Cross-Border Data Forum (IAPP, October 2018)
	A look at data transfers under different data protection regulations (IAPP, August 2018)
	Countdown to GDPR: Part 3 — Cross-border data transfer (IAPP, April 2018)
	The Privacy Shield: What U.S. multinational employers need to know to enjoy the benefits of the newest EU-U.S. data transfer mechanism (IAPP, July 2016)
	Top 10 operational impacts of the GDPR: Part 4 – Cross-border data transfers (IAPP, January 2016)
	A Newbie’s Safe Harbor Odyssey (IAPP, November 2015)
	Need To Get Caught Up on Safe Harbor? We’ve Got You Covered (IAPP, October 2015)

View More Resources

Standard Contractual Clauses

EU Standard Contractual Clauses (Word documents)

Save This

Transfer Impact Assessment Templates

Save This

Why it is unlikely the announced supplemental SCCs will materialize

The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers). This announcement is a change in course for the EC. W... Read More

Save This

Bird & Bird EU Standard Contractual Clauses Generator

Bird & Bird released a web-based "Standard Contractual Clauses-generator tool aimed at assisting organizations with tailoring new SCCs. Read More

Save This

Can the new standard contractual clauses work for small business?

The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for p... Read More

Save This

	Top-10 do’s and don’ts for service providers implementing the new SCCs with EU customers (IAPP, June 2021)
	Swiss DPA approves use of European Commission’s SCCs (IAPP, August 2021)
	Getting acclimated with updated SCCs (IAPP, June 2021)
	LinkedIn Live: ‘SCC Masterclass: Keys to Implementation’ (IAPP, June 2021)
	The updated standard contractual clauses — A new hope? (IAPP, June 2021)
	New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon (IAPP, April 2021)
	Web Conference: Making SCCs Work in Practice Today (IAPP, February 2021)
	What to expect when you’re expecting… SCCs — Canadian edition (IAPP, December 2020)
	Schrems II’: What the EDPB Recommendations and Modernized SCCs Mean for You (IAPP, December 2020)
	European Commission publishes proposed replacement SCCs (IAPP, November 2020)
	New EU SCCs: A modernized approach (IAPP, November 2020)
	What to expect on revised standard contractual clauses (IAPP, September 2020)
	Supplementing SCCs to solve surveillance shortfalls (IAPP, August 2020)
	BCRs as a robust alternative to Privacy Shield and SCCs (IAPP, July 2020)

View More Resources

CJEU Cases: Schrems I & II

Frequently Asked Questions & Resources on ‘Schrems II’

The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision. Read More

Save This

DPA and government guidance on ‘Schrems II’

This IAPP Resource Center page collects together DPA and government guidance on 'Schrems II' as it comes out. The IAPP will continue to update this page as new guidance emerges. Read More

Save This

Confusion about meaning of ‘Schrems II’ impedes global data flow

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

Save This

Guidance notes for responding to ‘Schrems II’

A series of guidance notes from Baker McKenzie on the CJEU's "Schrems II" decision is now available through the IAPP Resource Center. Read More

Save This

LinkedIn Live: "'Schrems II': A Year On"

Published: July 2021 One year ago, the Court of Justice of the European Union’s “Schrems II” decision shook the privacy profession and global data transfers by invalidating the EU-U.S. Privacy Shield Framework and calling into question broader data transfers. A year hence, the tremors continue. The decision spawned new standard contractual clauses and a host of detailed guidance on supplementary measures to ensure equivalent protection and mitigate government surveillance. And yet, the phrase “... Read More

Save This

	Web Conference: ‘Schrems II’ Data Transfers Impact: Steps to Protect and Enable Transfers (IAPP, June 2021)
	LinkedIn Live: ‘EDPB’s New Recommendations for Post-‘Schrems II’ Data Transfers’ (IAPP, June 2021)
	‘Schrems II’ DPA investigations and enforcement: Lessons learned (IAPP, June 2021)
	LinkedIn Live: ‘Data Transfers from the EU: Will derogations save the day?’ (IAPP, March 2021)
	Is a ‘multilateral privacy treaty’ the answer to ‘Schrems II’? (IAPP, March 2021)
	Schrems II’: How to protect against liability when using non-EEA vendors (IAPP, February 2021)
	Data transfers: Questions and answers abound, yet solutions elude (IAPP, January 2021)
	LinkedIn Live: ‘Ask the Expert: EU-US Data Transfers After ‘Schrems II’’ (IAPP, December 2020)
	The post-‘Schrems II’ road isn’t clear, but privacy pros can still take steps forward (IAPP, December 2020)
	‘Schrems II’ déjà vu: What new EDPB guidance means for Canadian businesses (IAPP, December 2020)
	LinkedIn Live: ‘Expectations from the EDPB: A discussion on the new EDPB recommendations for global data transfers’ (IAPP, November 2020)
	LinkedIn Live: ‘Immediate Reactions: EDPB Guidance on Post-Schrems Transfer Safeguards’ (IAPP, November 2020)
	A break down of EDPB’s recommendations for data transfers post-‘Schrems II’ (IAPP, November 2020)
	Web Conference: Post ‘Schrems II’: Examining Your Options and How to Action the Ruling (IAPP, October 2020)
	Web Conference: Navigating the Impact of ‘Schrems II’ and Cross-Border Data Transfers (IAPP, October 2020)
	Post-‘Schrems II’: Understanding Baden-Württemberg’s updated guidance on international data transfers (IAPP, September 2020)
	German state DPA guidance on protected usable data post-‘Schrems II’ (IAPP, September 2020)
	Can synthetic data help organizations respond to ‘Schrems II’? (IAPP, September 2020)
	When law diverges from reality: How are organizations responding to ‘Schrems II’ in practice? (IAPP, September 2020)
	Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue? (IAPP, September 2020)
	Why India needs to keep its eye on the ‘Schrems II’ ruling (IAPP, September 2020)
	How one tech vendor adapted its services in response to ‘Schrems II’ (IAPP, September 2020)
	Legal remedies to US surveillance after ‘Schrems II’ (IAPP, September 2020)
	How would India’s surveillance regime stack up in a ‘Schrems II’ scenario? (IAPP, August 2020)
	‘Schrems II’ requires a rethink of the CLOUD Act (IAPP, August 2020)
	Schrems group files complaints over EU-US data transfers (IAPP, August 2020)
	‘Schrems II’: Impact on Data Flows with Canada (IAPP, August 2020)
	Using ISO/IEC 27701 for cross-border data transfers post ‘Schrems II’ (IAPP, August 2020)
	White Paper – An Overview of US Surveillance in Light of “Schrems II” (IAPP, August 2020)
	US surveillance law and the future of trans-Atlantic data flows (IAPP, August 2020)
	Guidance notes for responding to ‘Schrems II’ (IAPP, July 2020)
	Schrems plans mid-August challenge of Facebook data transfers (IAPP, July 2020)
	Technology, media and telecommunications services after ‘Schrems II’ (IAPP, July 2020)
	What ‘Schrems II’ means for companies that rely on derogations (IAPP, July 2020)
	Using SCCs post-‘Schrems II’: Guidance from DPAs (IAPP, July 2020)
	LinkedIn Live: The ‘Schrems II’ Aftermath: A Deep Dive into SCCs (IAPP, July 2020)
	LinkedIn Live: ‘Schrems II’: The Practical Implications (IAPP, July 2020)
	LinkedIn Live: The CJEU Decision Unpacked (IAPP, July 2020)
	LinkedIn Live: ‘Schrems II’: The Immediate Aftermath (Name, July 2020)
	LinkedIn Live: The ‘Schrems II’ Decision: The Day After (IAPP, July 2020)
	CJEU ‘Schrems II’ Judgment: Action Steps for US Multinational Employers to Keep HR Data Transfers on Track (Littler, July 2020)
	Schrems, Ustaran react to CJEU’s ruling on Privacy Shield, SCCs (IAPP, July 2020)
	The show must go on (IAPP, July 2020)
	Infographic: The impact of the CJEU’s decision on ‘Schrems II’ (IAPP, July 2020)
	What does ‘Schrems II’ mean for EU-UK data flows? (IAPP, July 2020)
	What ‘Schrems II’ means for controller-to-processor SCCs (IAPP, July 2020)
	Dixon, Serwin discuss ‘Schrems II,’ future of data transfers (IAPP, July 2020)
	The ‘Schrems II’ decision: EU-US data transfers in question (IAPP, July 2020)
	‘Schrems 2.0’: 5 business impacts from the advocate general’s opinion (IAPP, January 2020)
	The advocate general’s ‘Schrems II’ opinion: What it says and means (IAPP, December 2019)
	It’s Schrems, round two (IAPP, February 2017)
	The Privacy Shield: What U.S. multinational employers need to know to enjoy the benefits of the newest EU-U.S. data transfer mechanism (IAPP, July 2016)
	European Commission formally adopts Privacy Shield (IAPP, July 2016)
	EU Member States approve Privacy Shield (IAPP, July 2016)
	Model clauses in jeopardy with Irish DPA referral to CJEU (IAPP, May 2016)
	Commission, Commerce announce new EU-US data transfer agreement (IAPP, February 2016)
	Schrems: Stop Sending Data Abroad (IAPP, December 2015)
	LIBE Committee to Commission: Why Did Safe Harbor Last 15 Years? (IAPP, October 2015)
	Following CJEU Ruling, Where Does Schrems Case Go Now? (IAPP, October 2015)
	Safe Harbor “Invalid,” Rules ECJ (IAPP, October 2015)
	Schrems Reacts to Advocate General’s Opinion on Safe Harbor (IAPP, September 2015)
	Schrems v Data Protection Commissioner Just Got a Lot More Interesting (IAPP, September 2015)
	Austrian Court Dismisses Facebook Suit; Schrems “Will Go to a Higher Court” (IAPP, July 2015)
	Safe Harbor Under Fire: You May Want To Change Your Transfer Mechanism (IAPP, May 2015)
	Video: Max Schrems on Facebook and the ECJ at DPC (IAPP, May 2015)
	Facebook Facing Increased Scrutiny in EU; WP29 Now Involved (IAPP, April 2015)
	Commission Says It Cannot Guarantee EU Privacy in U.S. Data Transfers (IAPP, March 2015)
	ECJ Hears Safe Harbor Arguments (IAPP, March 2015)
	Safe Harbor’s Final Reckoning May Begin Next Month (IAPP, February 2015)
	Facebook Class-Action Scheduled; DPA Asks Social Network for Answers (IAPP, January 2015)
	Facebook Class-Action Continues To Grow (IAPP, September 2014)
	Court Rules Facebook Must Respond to Schrems Suit (IAPP, August 2014)
	Commercial Court Punts Facebook Class-Action to Regional Court (IAPP, August 2014)
	Schrems Launches Global Class-Action Against Facebook (IAPP, August 2014)
	Irish High Court Refers Facebook Case to ECJ (IAPP, June 2014)
	Austrian Students Launch Offensive Over Spying (IAPP, July 2013)
	Europe v. Facebook Plans Suit (IAPP, December 2012)
	Law Student’s Quest Against Facebook Continues (IAPP, October 2012)
	Student To Bring Facebook Concerns to EC (IAPP, April 2012)
	Networking Site Faces Suit from Student (IAPP, February 2012)
	Activist: Facebook Will Release Data (IAPP, February 2012)
	Facebook Execs, Activist Meeting Today (IAPP, February 2012)

View More Resources

EU-US Privacy Shield

U.S.-EU Privacy Shield and Transatlantic Data Flows

The U.S. Congressional Research Service released a report on the EU-U.S. Privacy Shield and trans-Atlantic data flows. The report includes options for Congress to facilitate EU-U.S. data flows and a potential enhanced Privacy Shield, including considering whether comprehensive national privacy legislation — potentially aligning with the EU General Data Protection Regulation — would “provide some level of certainty to EU businesses and individuals” and “provide sufficient safeguards and guarantee... Read More

Save This

Privacy Shield Annual and Joint Reviews

When it launched the Privacy Shield in August 2016, the Commission committed to reviewing the Privacy Shield on an annual basis, to assess if it continues to ensure an adequate level of protection for personal data. Annual Reviews by European Commission First Review – Report, Press Release Second Review – Report, Press Release Third Review – Report, Press Release European Data Protection Board Joint Reviews First Joint Review Second Joint Review Third Joint Review ... Read More

Save This

LinkedIn Live: ‘What Do New EU Data Transfer Rules Mean for Privacy Shield?’

Published: June 2021 On June 4, the European Commission released new standard contractual clauses. On June 21, the European Data Protection Board published its final recommendations on supplementary measures for international data transfers. Both present a complex new set of requirements for companies transferring data to countries not deemed “adequate” by the EU and create sometimes insurmountable hurdles for those transfers. How do these new rules affect the Privacy Shield enhancement negotia... Read More

Save This

Hoff: EU, US 'not at the beginning' of Privacy Shield negotiations

As the one-year anniversary of the Court of Justice of the European Union's "Schrems II" decision approaches, the privacy industry has seen a wave of developments on international data transfers. The European Commission adopted new standard contractual clauses. The European Data Protection Board issued its recommendations on supplementary measures for data transfers and the commission adopted a pair of adequacy decisions for the U.K. All of these events took place within the last month, if you... Read More

Save This

EU-US data transfer deal still work in progress, despite new alliance

U.S. President Joe Biden and European Commission President Ursula von der Leyen have put pen to paper on the establishment of a new EU-U.S. Trade and Technology Council, pledging to foster greater synergies in areas including artificial intelligence, green tech, and security. But on the key issue of establishing a new trans-Atlantic data transfer accord, talks this week did not break the deadlock. Ahead of the EU-U.S. summit in Brussels Tuesday, rumors had surfaced suggesting the U.S. administr... Read More

Save This

	Privacy Shield and the UK — FAQs (Privacy Shield Framework, June 2021)
	New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon (IAPP, April 2021)
	Why the EU, US need to solve the ‘urgent’ issue around a replacement Privacy Shield (IAPP, April 2021)
	Industry gauges future of Privacy Shield replacement (IAPP, March 2021)
	Biden appoints Christopher Hoff to oversee Privacy Shield talks (IAPP, January 2021)
	Senate hearing ponders US remedies for Privacy Shield invalidation (IAPP, December 2020)
	Will Privacy Shield’s demise usher in an era of transparency? Part 2 (IAPP, October 2020)
	Israel’s Privacy Shield announcement: Tiptoeing between the EU and US (IAPP, September 2020)
	Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue? (IAPP, September 2020)
	Will Privacy Shield’s demise usher in transparency? (IAPP, August 2020)
	EU, US initiate talks on potential ‘enhanced’ Privacy Shield (IAPP, August 2020)
	The Privacy Advisor Podcast: So Privacy Shield is invalid; what to do next? (IAPP, July 2020)
	Schrems, Ustaran react to CJEU’s ruling on Privacy Shield, SCCs (IAPP, July 2020)
	The show must go on (IAPP, July 2020)
	CJEU invalidates EU-US Privacy Shield; SCCs remain valid (IAPP, July 2020)
	What Privacy Shield organizations should do in the wake of ‘Schrems II’ (IAPP, July 2020)
	The ‘Schrems II’ decision: EU-US data transfers in question (IAPP, July 2020)
	Inside the Privacy Shield annual review: Increasing common ground (IAPP, September 2019)
	Privacy Shield’s second annual review: One privacy pro’s first-hand experience (IAPP, November 2018)
	A Side-By-Side Comparison of “Privacy Shield” and the “Safe Harbor” (Bryan Cave, May 2018)
	Privacy Shield Side-by-Side Comparisons (Bryan Cave, May 2018)
	Privacy Shield Notice Requirements (U.S. Department of Commerce, January 2018)
	What Really Sank Safe Harbor? (IAPP, October 2015)

View More Resources

APEC Cross-Border Privacy Rules

A globalized CBPR framework: Peering into the future of data transfers

Save This

BBB National Programs first APEC-approved US nonprofit Accountability Agent

The Asia-Pacific Economic Cooperation approved the first U.S.-based nonprofit Accountability Agent in the APEC privacy certification systems. Following its approval by a joint oversight board and the 21 APEC economies, BBB National Programs announced it becomes one of seven worldwide recognized Accountability Agents in the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems. The nonprofit will work one-on-one with companies of all sizes doing business in the 21 econom... Read More

Save This

APEC announces new US Accountability Agent for CBPR certifications

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

Save This

Australia and Chinese Taipei join APEC's Cross-Border Privacy Rules System

Australia and Chinese Taipei have become the latest economies to join the Asia-Pacific Economic Cooperation's Cross-Border Privacy Rules System. Both officially joined as of Nov. 23, when APEC's Electronic Commerce Steering Group Joint Oversight Panel put forward its final findings report. The CBPR system is a voluntary, accountability-based framework that serves to facilitate data flows across the APEC region. As members of the CBPR system, Australia and Chinese Taipei join the U.S., Mexico, Ja... Read More

Save This

As Asia-Pacific rises and integrates, so too could the APEC Cross-Border Privacy Rules

Much of the privacy world is still focused on Europe and the implications of the EU General Data Protection Regulation (and eventually, the ePrivacy Regulation) for digital trade and data practices across borders, particularly between Europe and the U.S. However, Europe holds less than 10 percent of the world’s population, and developing economies in Asia are pressing for a seat at the table setting international rules and norms. Various actors have been working to develop cross-border trade agr... Read More

Save This

	South Korea joins APEC Cross Border Privacy Rules system (IAPP, June 2017)
	GDPR matchup: The APEC Privacy Framework and Cross-Border Privacy Rules (IAPP, May 2017)
	APEC Privacy Framework (Asia-Pacific Economic Cooperation, January 2015)
	The APEC Cross-Border Privacy Rules—Now That We’ve Built It, Will They Come? (IAPP, September 2014)

View More Resources

Binding Corporate Rules

Approved Binding Corporate Rules

Links to some of the approved Binding Corporate Rules, as published by Mehmet Munur, CIPP/US, of Tsibouris & Associates. Read More

Save This

Lithuanian DPA releases opinion on BCRs

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the EU General Data Protection Regulation. The DPA said companies cannot solely rely on the European Commission’s decision on an adequate level of protection as the main basis for data transfers. The document details who can transfer data to a third country on th... Read More

Save This

BCRs as a robust alternative to Privacy Shield and SCCs

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

Save This

Argentine DPA approves guidelines for Binding Corporate Rules

Pursuant to Resolution No. 159/2018 published Dec. 7, 2018, in the Official Gazette, the Agency of Access to Public Information (Agencia de Acceso a la Información Pública, in Spanish) approved a set of guidelines for binding corporate rules as a mechanism available to multinational companies to legitimize international data transfers within their group. BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companie... Read More

Save This

Overview on Binding Corporate rules

The European Commission provides an overview of binding corporate rules include what it is, the purpose, advantages, the procedure and more. Click To View ... Read More

Save This

Regional Resources

Click below to navigate to resources by region.

Argentina, Brazil, Canada, China, France, Hong Kong, India, Israel, Ireland, Japan, New Zealand, South Korea, United Kingdom, United States, Uruguay