Now that U.S. President Joe Biden has issued an executive order to implement the EU-U.S. Data Privacy Framework, privacy professionals are preparing to resume transferring personal data across the Atlantic without being bound by alternative means, like standard contractual clauses, for the first time in more than two years. During a session at the IAPP Privacy. Security. Risk. 2022 conference in Austin, Texas, IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, sat down with U.S. Department... Read More

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.  As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

The wait for a finalized agreement to solidify EU-U.S. data flows is winding down. The latest step forward in the process came with U.S. President Joe Biden's long-awaited executive order mandating new legal safeguards over U.S. national security agencies' access and use of EU and U.S. personal data. The order comes more than six months after Biden and European Commission President Ursula von der Leyen announced an agreement in principle on the EU-U.S. Data Privacy Framework. Talks for that agr... Read More

The Ibero-American Data Protection Network, the RIPD, released guidance documents for implementing standard contractual clauses for international data transfers and transfer agreements. The guidelines aim to outline how and when SCCs should be used, as well as why the clauses are necessary and appropriate. Additionally, the guidelines explain principles for responsibility when transferring data to a third country without adequate data protection measures.Full Story... Read More

On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.  As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, wrote a blog post explaining the company's plans to abide by the Global Cross-Border Privacy Rules system. Enright touted the CBPR system as "an important step toward enabling continued, trusted data flows between participating jurisdictions." He added that Google will partake in the Global CBPR Forum to discuss "practical realities of services facing fragmented privacy regulations" while imploring further consultation on "how to make ... Read More

Politico reports the U.S. is pushing forward with various countries on the proposal for Global Cross-Border Privacy Rules despite potential friction with the EU General Data Protection Regulation. A recent meeting between 20 nations in Hawaii sought to finalize details of a global CBPR framework, which existing participants hope will include Brazil and the U.K. by year's end as well as other nations, like Bermuda and Chile, by 2023. However, unnamed EU officials indicated the CBPR framework woul... Read More

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

The Asia-Pacific Economic Cooperation approved the first U.S.-based nonprofit Accountability Agent in the APEC privacy certification systems. Following its approval by a joint oversight board and the 21 APEC economies, BBB National Programs announced it becomes one of seven worldwide recognized Accountability Agents in the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems. The nonprofit will work one-on-one with companies of all sizes doing business in the 21 econom... Read More

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

The U.K. Information Commissioner's Office published updated guidance for using binding corporate rules as a data transfer mechanism. The updates are geared toward a "simplified" approach for controllers and processors with the ICO noting it will "only request supporting documents and commitments once during the U.K. approval process." The regulator also called BCRs a "gold standard" transfer mechanism that "demonstrates your commitment to implementing appropriate safeguards."Full Story... Read More

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the EU General Data Protection Regulation. The DPA said companies cannot solely rely on the European Commission’s decision on an adequate level of protection as the main basis for data transfers. The document details who can transfer data to a third country on th... Read More

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

Pursuant to Resolution No. 159/2018 published Dec. 7, 2018, in the Official Gazette, the Agency of Access to Public Information (Agencia de Acceso a la Información Pública, in Spanish) approved a set of guidelines for binding corporate rules as a mechanism available to multinational companies to legitimize international data transfers within their group. BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companie... Read More